Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenSSF Scorecards GitHub Action #48570

Merged
merged 10 commits into from
Sep 20, 2022
Merged

Add OpenSSF Scorecards GitHub Action #48570

merged 10 commits into from
Sep 20, 2022

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Sep 15, 2022

Closes #48566

As per the linked issue, this PR adds the OpenSSF Scorecards GitHub Action, which automatically checks the repo's supply-chain security processes and reports results to the repo's Security dashboard.

I have also taken the liberty of adding a badge to the README.md displaying the project's score. This badge is strictly optional and can be easily removed, just say the word!

Copy link
Member

@lithomas1 lithomas1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general. Can you disable the workflow for forks, by adding a if: github.repository=="pandas-dev/pandas" somewhere?

Thanks.

@lithomas1 lithomas1 added the CI Continuous Integration label Sep 16, 2022
@lithomas1 lithomas1 added this to the 1.6 milestone Sep 16, 2022
@pnacht
Copy link
Contributor Author

pnacht commented Sep 16, 2022

@lithomas1 Done.


steps:
- name: "Checkout code"
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious, could we just specify the tags instead of the commit hashes here (that's what we do for other actions)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenSSF recommends pinning to hashes instead of versions in order to protect against tag-renaming attacks (whereby an attacker hijacks an action, uploads a malicious version and replaces an existing tag with the malicious version). However, we're aware there are pros and cons to this approach, so if you prefer I can modify the workflow to use versions instead of hashes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we would prefer using the tags for consistency with other workflows. We can look into using hashes for all of our workflows in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@pnacht
Copy link
Contributor Author

pnacht commented Sep 20, 2022

@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved?

@lithomas1
Copy link
Member

@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved?

Can you merge main?

@lithomas1 lithomas1 merged commit 3937fbe into pandas-dev:main Sep 20, 2022
@lithomas1
Copy link
Member

thanks @pnacht

@phofl
Copy link
Member

phofl commented Sep 20, 2022

This is failing on main.

Is there a quick fix? Otherwise I would propose reverting till this is fixed

https://github.com/pandas-dev/pandas/actions/runs/3092278697/jobs/5003363101

@pnacht
Copy link
Contributor Author

pnacht commented Sep 20, 2022

Yes, this should be quick to fix. Many apologies! I'll write a new PR with a fix in a few minutes.

@pnacht
Copy link
Contributor Author

pnacht commented Sep 20, 2022

@phofl Submitted the PR fixing this #48668. Truly sorry, my apologies!

phofl pushed a commit to phofl/pandas that referenced this pull request Sep 22, 2022
* Create scorecards.yml

* Update scorecards.yml

* Add OpenSSF Scorecards badge to README.md

* Trim whitespace in scorecards.yml

* Skip scorecards.yml on forks

* Fix whitespace

* Pin scorecards.yml dependencies to major versions
mroeschke added a commit that referenced this pull request Sep 26, 2022
…8662)

* BUG: Series.getitem not falling back to positional for bool index

* Update pandas/tests/series/indexing/test_getitem.py

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* Fix build warning for use of `strdup` in ultrajson (#48369)

* WEB: Update versions json to fix version switcher in the docs (#48655)

* PERF: join/merge on subset of MultiIndex (#48611)

* DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (#48631)

* Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter

* Add test case for date_range construction using datetime.timedelta

* TYP: tighten Axis (#48612)

* TYP: tighten Axis

* allow 'rows'

* BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (#48616)

* Add finalize to df.corr and df.cov

* Clean

* TST: add test case for PeriodIndex in HDFStore(GH7796) (#48618)

* TST: add test case for PeriodIndex in HDFStore

* TST: add test case for PeriodIndex in HDFStore

* use pytest.mark.parameterize instead

* Add OpenSSF Scorecards GitHub Action (#48570)

* Create scorecards.yml

* Update scorecards.yml

* Add OpenSSF Scorecards badge to README.md

* Trim whitespace in scorecards.yml

* Skip scorecards.yml on forks

* Fix whitespace

* Pin scorecards.yml dependencies to major versions

* ENH: move an exception and add a prehook to check for exception place… (#48088)

* ENH: move an exception and add a prehook to check for exception placement

* ENH: fix import

* ENH: revert moving error

* ENH: add docstring and fix import for test

* ENH: re-design approach based on feedback

* ENH: update whatsnew rst

* ENH: apply feedback changes

* ENH: refactor to remove exception_warning_list and ignore _version.py

* ENH: remove NotThisMethod from tests and all

* REGR: TextIOWrapper raising an error in read_csv (#48651)

* REGR: TextIOWrapper raising an error in read_csv

* pyupgrade

* do not try to seek on unseekable buffers

* unseekable buffer might also have read ahead

* safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens)

* Fix scorecard.yml workflow (#48668)

* Set scorecard-action to v2.0.3

scorecard-action does not have a major version tag.

Temporarily disabling github.repository check to ensure action now works.

* Enable github.repository check

* BUG: DatetimeIndex ignoring explicit tz=None (#48659)

* BUG: DatetimeIndex ignoring explicit tz=None

* GH ref

* Corrected pd.merge indicator type hint (#48677)

* Corrected pd.merge indicator type hint

https://pandas.pydata.org/docs/reference/api/pandas.merge.html
It should be "str | bool" instead of just string

* Update merge.py

fixed type hint in merge.py

* Update merge.py

Update indicator type hint in _MergeOperation

* Update merge.py

Added type hint _MergeOperation init

* DOC: Document default value for options.display.max_cols when not running in terminal (#48672)

DOC: Document default value for options.display.max_cols

display.max_cols has a default value of 20 when not running in a terminal
such as Jupyter Notebook

* ENH: DTA/TDA add datetimelike scalar with mismatched reso (#48669)

* ENH: DTA/TDA add datetimelike scalar with mismatched reso

* mypy fixup

* REF: support reso in remaining tslibs helpers (#48661)

* REF: support reso in remaining tslibs helpers

* update setup.py

* PERF: Avoid fragmentation of DataFrame in read_sas (#48603)

* PERF: Avoid fragmentation of DataFrame in read_sas

* Add whatsnew

* Add warning

* DOC: Add deprecation infos to deprecated functions (#48599)

* DOC: Add deprecation infos to deprecated functions

* Add sections

* Fix

* BLD: Build wheels using cibuildwheel (#48283)

* BLD: Build wheels using cibuildwheel

* update from code review

Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* fix 3.11 version

* changes from code review

* Update test_wheels.py

* sync run time with pandas-wheels

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* REGR: Performance decrease in factorize (#48620)

* TYP: type all arguments with str default values (#48508)

* TYP: type all arguments with str default values

* na_rep: back to str

* na(t)_rep is always a string

* add float for some functions

* and the same for the few float default arguments

* define a few more literal constants

* avoid itertools.cycle mypy error

* revert mistake

* TST: Catch more pyarrow PerformanceWarnings (#48699)

* REGR: to_hdf raising AssertionError with boolean index (#48696)

* REGR: to_hdf raising AssertionError with boolean index

* Add gh ref

* REGR: Regression in DataFrame.loc when setting df with all True indexer (#48711)

* BUG: pivot_table raising for nullable dtype and margins (#48714)

* TST: Address MPL 3.6 deprecation warnings (#48695)

* TST: Address MPL 3.6 deprecation warnings

* Address min build

* missing ()

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>
Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com>
Co-authored-by: Marc Garcia <garcia.marc@gmail.com>
Co-authored-by: Luke Manley <lukemanley@gmail.com>
Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com>
Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com>
Co-authored-by: Xiao Yuan <yuanx749@gmail.com>
Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com>
Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com>
Co-authored-by: dataxerik <dsshar@gmail.com>
Co-authored-by: jbrockmendel <jbrockmendel@gmail.com>
Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com>
Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com>
Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com>
Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
@mroeschke mroeschke modified the milestones: 1.6, 2.0 Oct 13, 2022
noatamir pushed a commit to noatamir/pandas that referenced this pull request Nov 9, 2022
* Create scorecards.yml

* Update scorecards.yml

* Add OpenSSF Scorecards badge to README.md

* Trim whitespace in scorecards.yml

* Skip scorecards.yml on forks

* Fix whitespace

* Pin scorecards.yml dependencies to major versions
noatamir pushed a commit to noatamir/pandas that referenced this pull request Nov 9, 2022
…ndas-dev#48662)

* BUG: Series.getitem not falling back to positional for bool index

* Update pandas/tests/series/indexing/test_getitem.py

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* Fix build warning for use of `strdup` in ultrajson (pandas-dev#48369)

* WEB: Update versions json to fix version switcher in the docs (pandas-dev#48655)

* PERF: join/merge on subset of MultiIndex (pandas-dev#48611)

* DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (pandas-dev#48631)

* Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter

* Add test case for date_range construction using datetime.timedelta

* TYP: tighten Axis (pandas-dev#48612)

* TYP: tighten Axis

* allow 'rows'

* BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (pandas-dev#48616)

* Add finalize to df.corr and df.cov

* Clean

* TST: add test case for PeriodIndex in HDFStore(GH7796) (pandas-dev#48618)

* TST: add test case for PeriodIndex in HDFStore

* TST: add test case for PeriodIndex in HDFStore

* use pytest.mark.parameterize instead

* Add OpenSSF Scorecards GitHub Action (pandas-dev#48570)

* Create scorecards.yml

* Update scorecards.yml

* Add OpenSSF Scorecards badge to README.md

* Trim whitespace in scorecards.yml

* Skip scorecards.yml on forks

* Fix whitespace

* Pin scorecards.yml dependencies to major versions

* ENH: move an exception and add a prehook to check for exception place… (pandas-dev#48088)

* ENH: move an exception and add a prehook to check for exception placement

* ENH: fix import

* ENH: revert moving error

* ENH: add docstring and fix import for test

* ENH: re-design approach based on feedback

* ENH: update whatsnew rst

* ENH: apply feedback changes

* ENH: refactor to remove exception_warning_list and ignore _version.py

* ENH: remove NotThisMethod from tests and all

* REGR: TextIOWrapper raising an error in read_csv (pandas-dev#48651)

* REGR: TextIOWrapper raising an error in read_csv

* pyupgrade

* do not try to seek on unseekable buffers

* unseekable buffer might also have read ahead

* safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens)

* Fix scorecard.yml workflow (pandas-dev#48668)

* Set scorecard-action to v2.0.3

scorecard-action does not have a major version tag.

Temporarily disabling github.repository check to ensure action now works.

* Enable github.repository check

* BUG: DatetimeIndex ignoring explicit tz=None (pandas-dev#48659)

* BUG: DatetimeIndex ignoring explicit tz=None

* GH ref

* Corrected pd.merge indicator type hint (pandas-dev#48677)

* Corrected pd.merge indicator type hint

https://pandas.pydata.org/docs/reference/api/pandas.merge.html
It should be "str | bool" instead of just string

* Update merge.py

fixed type hint in merge.py

* Update merge.py

Update indicator type hint in _MergeOperation

* Update merge.py

Added type hint _MergeOperation init

* DOC: Document default value for options.display.max_cols when not running in terminal (pandas-dev#48672)

DOC: Document default value for options.display.max_cols

display.max_cols has a default value of 20 when not running in a terminal
such as Jupyter Notebook

* ENH: DTA/TDA add datetimelike scalar with mismatched reso (pandas-dev#48669)

* ENH: DTA/TDA add datetimelike scalar with mismatched reso

* mypy fixup

* REF: support reso in remaining tslibs helpers (pandas-dev#48661)

* REF: support reso in remaining tslibs helpers

* update setup.py

* PERF: Avoid fragmentation of DataFrame in read_sas (pandas-dev#48603)

* PERF: Avoid fragmentation of DataFrame in read_sas

* Add whatsnew

* Add warning

* DOC: Add deprecation infos to deprecated functions (pandas-dev#48599)

* DOC: Add deprecation infos to deprecated functions

* Add sections

* Fix

* BLD: Build wheels using cibuildwheel (pandas-dev#48283)

* BLD: Build wheels using cibuildwheel

* update from code review

Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* fix 3.11 version

* changes from code review

* Update test_wheels.py

* sync run time with pandas-wheels

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>

* REGR: Performance decrease in factorize (pandas-dev#48620)

* TYP: type all arguments with str default values (pandas-dev#48508)

* TYP: type all arguments with str default values

* na_rep: back to str

* na(t)_rep is always a string

* add float for some functions

* and the same for the few float default arguments

* define a few more literal constants

* avoid itertools.cycle mypy error

* revert mistake

* TST: Catch more pyarrow PerformanceWarnings (pandas-dev#48699)

* REGR: to_hdf raising AssertionError with boolean index (pandas-dev#48696)

* REGR: to_hdf raising AssertionError with boolean index

* Add gh ref

* REGR: Regression in DataFrame.loc when setting df with all True indexer (pandas-dev#48711)

* BUG: pivot_table raising for nullable dtype and margins (pandas-dev#48714)

* TST: Address MPL 3.6 deprecation warnings (pandas-dev#48695)

* TST: Address MPL 3.6 deprecation warnings

* Address min build

* missing ()

Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com>
Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com>
Co-authored-by: Marc Garcia <garcia.marc@gmail.com>
Co-authored-by: Luke Manley <lukemanley@gmail.com>
Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com>
Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com>
Co-authored-by: Xiao Yuan <yuanx749@gmail.com>
Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com>
Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com>
Co-authored-by: dataxerik <dsshar@gmail.com>
Co-authored-by: jbrockmendel <jbrockmendel@gmail.com>
Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com>
Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com>
Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com>
Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI Continuous Integration
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add the OpenSSF Scorecard GitHub Action
4 participants