Add OpenSSF Scorecards GitHub Action #48570
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lithomas1
reviewed
Sep 16, 2022
|
@lithomas1 Done. |
mroeschke
reviewed
Sep 19, 2022
.github/workflows/scorecards.yml
Outdated
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 |
There was a problem hiding this comment.
Curious, could we just specify the tags instead of the commit hashes here (that's what we do for other actions)
There was a problem hiding this comment.
The OpenSSF recommends pinning to hashes instead of versions in order to protect against tag-renaming attacks (whereby an attacker hijacks an action, uploads a malicious version and replaces an existing tag with the malicious version). However, we're aware there are pros and cons to this approach, so if you prefer I can modify the workflow to use versions instead of hashes.
There was a problem hiding this comment.
I think we would prefer using the tags for consistency with other workflows. We can look into using hashes for all of our workflows in the future.
mroeschke
approved these changes
Sep 19, 2022
|
@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved? |
Can you merge main? |
lithomas1
approved these changes
Sep 20, 2022
|
thanks @pnacht |
|
This is failing on main. Is there a quick fix? Otherwise I would propose reverting till this is fixed https://github.com/pandas-dev/pandas/actions/runs/3092278697/jobs/5003363101 |
|
Yes, this should be quick to fix. Many apologies! I'll write a new PR with a fix in a few minutes. |
phofl
pushed a commit
to phofl/pandas
that referenced
this pull request
Sep 22, 2022
* Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions
mroeschke
added a commit
that referenced
this pull request
Sep 26, 2022
…8662) * BUG: Series.getitem not falling back to positional for bool index * Update pandas/tests/series/indexing/test_getitem.py Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * Fix build warning for use of `strdup` in ultrajson (#48369) * WEB: Update versions json to fix version switcher in the docs (#48655) * PERF: join/merge on subset of MultiIndex (#48611) * DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (#48631) * Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter * Add test case for date_range construction using datetime.timedelta * TYP: tighten Axis (#48612) * TYP: tighten Axis * allow 'rows' * BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (#48616) * Add finalize to df.corr and df.cov * Clean * TST: add test case for PeriodIndex in HDFStore(GH7796) (#48618) * TST: add test case for PeriodIndex in HDFStore * TST: add test case for PeriodIndex in HDFStore * use pytest.mark.parameterize instead * Add OpenSSF Scorecards GitHub Action (#48570) * Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions * ENH: move an exception and add a prehook to check for exception place… (#48088) * ENH: move an exception and add a prehook to check for exception placement * ENH: fix import * ENH: revert moving error * ENH: add docstring and fix import for test * ENH: re-design approach based on feedback * ENH: update whatsnew rst * ENH: apply feedback changes * ENH: refactor to remove exception_warning_list and ignore _version.py * ENH: remove NotThisMethod from tests and all * REGR: TextIOWrapper raising an error in read_csv (#48651) * REGR: TextIOWrapper raising an error in read_csv * pyupgrade * do not try to seek on unseekable buffers * unseekable buffer might also have read ahead * safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens) * Fix scorecard.yml workflow (#48668) * Set scorecard-action to v2.0.3 scorecard-action does not have a major version tag. Temporarily disabling github.repository check to ensure action now works. * Enable github.repository check * BUG: DatetimeIndex ignoring explicit tz=None (#48659) * BUG: DatetimeIndex ignoring explicit tz=None * GH ref * Corrected pd.merge indicator type hint (#48677) * Corrected pd.merge indicator type hint https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string * Update merge.py fixed type hint in merge.py * Update merge.py Update indicator type hint in _MergeOperation * Update merge.py Added type hint _MergeOperation init * DOC: Document default value for options.display.max_cols when not running in terminal (#48672) DOC: Document default value for options.display.max_cols display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook * ENH: DTA/TDA add datetimelike scalar with mismatched reso (#48669) * ENH: DTA/TDA add datetimelike scalar with mismatched reso * mypy fixup * REF: support reso in remaining tslibs helpers (#48661) * REF: support reso in remaining tslibs helpers * update setup.py * PERF: Avoid fragmentation of DataFrame in read_sas (#48603) * PERF: Avoid fragmentation of DataFrame in read_sas * Add whatsnew * Add warning * DOC: Add deprecation infos to deprecated functions (#48599) * DOC: Add deprecation infos to deprecated functions * Add sections * Fix * BLD: Build wheels using cibuildwheel (#48283) * BLD: Build wheels using cibuildwheel * update from code review Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * fix 3.11 version * changes from code review * Update test_wheels.py * sync run time with pandas-wheels Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * REGR: Performance decrease in factorize (#48620) * TYP: type all arguments with str default values (#48508) * TYP: type all arguments with str default values * na_rep: back to str * na(t)_rep is always a string * add float for some functions * and the same for the few float default arguments * define a few more literal constants * avoid itertools.cycle mypy error * revert mistake * TST: Catch more pyarrow PerformanceWarnings (#48699) * REGR: to_hdf raising AssertionError with boolean index (#48696) * REGR: to_hdf raising AssertionError with boolean index * Add gh ref * REGR: Regression in DataFrame.loc when setting df with all True indexer (#48711) * BUG: pivot_table raising for nullable dtype and margins (#48714) * TST: Address MPL 3.6 deprecation warnings (#48695) * TST: Address MPL 3.6 deprecation warnings * Address min build * missing () Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com> Co-authored-by: Marc Garcia <garcia.marc@gmail.com> Co-authored-by: Luke Manley <lukemanley@gmail.com> Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com> Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com> Co-authored-by: Xiao Yuan <yuanx749@gmail.com> Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com> Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com> Co-authored-by: dataxerik <dsshar@gmail.com> Co-authored-by: jbrockmendel <jbrockmendel@gmail.com> Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com> Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com> Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com> Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
noatamir
pushed a commit
to noatamir/pandas
that referenced
this pull request
Nov 9, 2022
* Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions
noatamir
pushed a commit
to noatamir/pandas
that referenced
this pull request
Nov 9, 2022
…ndas-dev#48662) * BUG: Series.getitem not falling back to positional for bool index * Update pandas/tests/series/indexing/test_getitem.py Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * Fix build warning for use of `strdup` in ultrajson (pandas-dev#48369) * WEB: Update versions json to fix version switcher in the docs (pandas-dev#48655) * PERF: join/merge on subset of MultiIndex (pandas-dev#48611) * DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (pandas-dev#48631) * Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter * Add test case for date_range construction using datetime.timedelta * TYP: tighten Axis (pandas-dev#48612) * TYP: tighten Axis * allow 'rows' * BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (pandas-dev#48616) * Add finalize to df.corr and df.cov * Clean * TST: add test case for PeriodIndex in HDFStore(GH7796) (pandas-dev#48618) * TST: add test case for PeriodIndex in HDFStore * TST: add test case for PeriodIndex in HDFStore * use pytest.mark.parameterize instead * Add OpenSSF Scorecards GitHub Action (pandas-dev#48570) * Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions * ENH: move an exception and add a prehook to check for exception place… (pandas-dev#48088) * ENH: move an exception and add a prehook to check for exception placement * ENH: fix import * ENH: revert moving error * ENH: add docstring and fix import for test * ENH: re-design approach based on feedback * ENH: update whatsnew rst * ENH: apply feedback changes * ENH: refactor to remove exception_warning_list and ignore _version.py * ENH: remove NotThisMethod from tests and all * REGR: TextIOWrapper raising an error in read_csv (pandas-dev#48651) * REGR: TextIOWrapper raising an error in read_csv * pyupgrade * do not try to seek on unseekable buffers * unseekable buffer might also have read ahead * safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens) * Fix scorecard.yml workflow (pandas-dev#48668) * Set scorecard-action to v2.0.3 scorecard-action does not have a major version tag. Temporarily disabling github.repository check to ensure action now works. * Enable github.repository check * BUG: DatetimeIndex ignoring explicit tz=None (pandas-dev#48659) * BUG: DatetimeIndex ignoring explicit tz=None * GH ref * Corrected pd.merge indicator type hint (pandas-dev#48677) * Corrected pd.merge indicator type hint https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string * Update merge.py fixed type hint in merge.py * Update merge.py Update indicator type hint in _MergeOperation * Update merge.py Added type hint _MergeOperation init * DOC: Document default value for options.display.max_cols when not running in terminal (pandas-dev#48672) DOC: Document default value for options.display.max_cols display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook * ENH: DTA/TDA add datetimelike scalar with mismatched reso (pandas-dev#48669) * ENH: DTA/TDA add datetimelike scalar with mismatched reso * mypy fixup * REF: support reso in remaining tslibs helpers (pandas-dev#48661) * REF: support reso in remaining tslibs helpers * update setup.py * PERF: Avoid fragmentation of DataFrame in read_sas (pandas-dev#48603) * PERF: Avoid fragmentation of DataFrame in read_sas * Add whatsnew * Add warning * DOC: Add deprecation infos to deprecated functions (pandas-dev#48599) * DOC: Add deprecation infos to deprecated functions * Add sections * Fix * BLD: Build wheels using cibuildwheel (pandas-dev#48283) * BLD: Build wheels using cibuildwheel * update from code review Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * fix 3.11 version * changes from code review * Update test_wheels.py * sync run time with pandas-wheels Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * REGR: Performance decrease in factorize (pandas-dev#48620) * TYP: type all arguments with str default values (pandas-dev#48508) * TYP: type all arguments with str default values * na_rep: back to str * na(t)_rep is always a string * add float for some functions * and the same for the few float default arguments * define a few more literal constants * avoid itertools.cycle mypy error * revert mistake * TST: Catch more pyarrow PerformanceWarnings (pandas-dev#48699) * REGR: to_hdf raising AssertionError with boolean index (pandas-dev#48696) * REGR: to_hdf raising AssertionError with boolean index * Add gh ref * REGR: Regression in DataFrame.loc when setting df with all True indexer (pandas-dev#48711) * BUG: pivot_table raising for nullable dtype and margins (pandas-dev#48714) * TST: Address MPL 3.6 deprecation warnings (pandas-dev#48695) * TST: Address MPL 3.6 deprecation warnings * Address min build * missing () Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com> Co-authored-by: Marc Garcia <garcia.marc@gmail.com> Co-authored-by: Luke Manley <lukemanley@gmail.com> Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com> Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com> Co-authored-by: Xiao Yuan <yuanx749@gmail.com> Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com> Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com> Co-authored-by: dataxerik <dsshar@gmail.com> Co-authored-by: jbrockmendel <jbrockmendel@gmail.com> Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com> Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com> Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com> Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #48566
As per the linked issue, this PR adds the OpenSSF Scorecards GitHub Action, which automatically checks the repo's supply-chain security processes and reports results to the repo's Security dashboard.
I have also taken the liberty of adding a badge to the README.md displaying the project's score. This badge is strictly optional and can be easily removed, just say the word!