-
-
Notifications
You must be signed in to change notification settings - Fork 18.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenSSF Scorecards GitHub Action #48570
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general. Can you disable the workflow for forks, by adding a if: github.repository=="pandas-dev/pandas"
somewhere?
Thanks.
@lithomas1 Done. |
.github/workflows/scorecards.yml
Outdated
|
||
steps: | ||
- name: "Checkout code" | ||
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious, could we just specify the tags instead of the commit hashes here (that's what we do for other actions)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The OpenSSF recommends pinning to hashes instead of versions in order to protect against tag-renaming attacks (whereby an attacker hijacks an action, uploads a malicious version and replaces an existing tag with the malicious version). However, we're aware there are pros and cons to this approach, so if you prefer I can modify the workflow to use versions instead of hashes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we would prefer using the tags for consistency with other workflows. We can look into using hashes for all of our workflows in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@mroeschke I'm not sure why the CircleCI tests are failing. Seems to be missing python tests? I've noticed a few other recent PRs with the same failures (#48658, #48621), was this solved? |
Can you merge main? |
thanks @pnacht |
This is failing on main. Is there a quick fix? Otherwise I would propose reverting till this is fixed https://github.com/pandas-dev/pandas/actions/runs/3092278697/jobs/5003363101 |
Yes, this should be quick to fix. Many apologies! I'll write a new PR with a fix in a few minutes. |
* Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions
…8662) * BUG: Series.getitem not falling back to positional for bool index * Update pandas/tests/series/indexing/test_getitem.py Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * Fix build warning for use of `strdup` in ultrajson (#48369) * WEB: Update versions json to fix version switcher in the docs (#48655) * PERF: join/merge on subset of MultiIndex (#48611) * DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (#48631) * Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter * Add test case for date_range construction using datetime.timedelta * TYP: tighten Axis (#48612) * TYP: tighten Axis * allow 'rows' * BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (#48616) * Add finalize to df.corr and df.cov * Clean * TST: add test case for PeriodIndex in HDFStore(GH7796) (#48618) * TST: add test case for PeriodIndex in HDFStore * TST: add test case for PeriodIndex in HDFStore * use pytest.mark.parameterize instead * Add OpenSSF Scorecards GitHub Action (#48570) * Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions * ENH: move an exception and add a prehook to check for exception place… (#48088) * ENH: move an exception and add a prehook to check for exception placement * ENH: fix import * ENH: revert moving error * ENH: add docstring and fix import for test * ENH: re-design approach based on feedback * ENH: update whatsnew rst * ENH: apply feedback changes * ENH: refactor to remove exception_warning_list and ignore _version.py * ENH: remove NotThisMethod from tests and all * REGR: TextIOWrapper raising an error in read_csv (#48651) * REGR: TextIOWrapper raising an error in read_csv * pyupgrade * do not try to seek on unseekable buffers * unseekable buffer might also have read ahead * safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens) * Fix scorecard.yml workflow (#48668) * Set scorecard-action to v2.0.3 scorecard-action does not have a major version tag. Temporarily disabling github.repository check to ensure action now works. * Enable github.repository check * BUG: DatetimeIndex ignoring explicit tz=None (#48659) * BUG: DatetimeIndex ignoring explicit tz=None * GH ref * Corrected pd.merge indicator type hint (#48677) * Corrected pd.merge indicator type hint https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string * Update merge.py fixed type hint in merge.py * Update merge.py Update indicator type hint in _MergeOperation * Update merge.py Added type hint _MergeOperation init * DOC: Document default value for options.display.max_cols when not running in terminal (#48672) DOC: Document default value for options.display.max_cols display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook * ENH: DTA/TDA add datetimelike scalar with mismatched reso (#48669) * ENH: DTA/TDA add datetimelike scalar with mismatched reso * mypy fixup * REF: support reso in remaining tslibs helpers (#48661) * REF: support reso in remaining tslibs helpers * update setup.py * PERF: Avoid fragmentation of DataFrame in read_sas (#48603) * PERF: Avoid fragmentation of DataFrame in read_sas * Add whatsnew * Add warning * DOC: Add deprecation infos to deprecated functions (#48599) * DOC: Add deprecation infos to deprecated functions * Add sections * Fix * BLD: Build wheels using cibuildwheel (#48283) * BLD: Build wheels using cibuildwheel * update from code review Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * fix 3.11 version * changes from code review * Update test_wheels.py * sync run time with pandas-wheels Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * REGR: Performance decrease in factorize (#48620) * TYP: type all arguments with str default values (#48508) * TYP: type all arguments with str default values * na_rep: back to str * na(t)_rep is always a string * add float for some functions * and the same for the few float default arguments * define a few more literal constants * avoid itertools.cycle mypy error * revert mistake * TST: Catch more pyarrow PerformanceWarnings (#48699) * REGR: to_hdf raising AssertionError with boolean index (#48696) * REGR: to_hdf raising AssertionError with boolean index * Add gh ref * REGR: Regression in DataFrame.loc when setting df with all True indexer (#48711) * BUG: pivot_table raising for nullable dtype and margins (#48714) * TST: Address MPL 3.6 deprecation warnings (#48695) * TST: Address MPL 3.6 deprecation warnings * Address min build * missing () Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com> Co-authored-by: Marc Garcia <garcia.marc@gmail.com> Co-authored-by: Luke Manley <lukemanley@gmail.com> Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com> Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com> Co-authored-by: Xiao Yuan <yuanx749@gmail.com> Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com> Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com> Co-authored-by: dataxerik <dsshar@gmail.com> Co-authored-by: jbrockmendel <jbrockmendel@gmail.com> Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com> Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com> Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com> Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
* Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions
…ndas-dev#48662) * BUG: Series.getitem not falling back to positional for bool index * Update pandas/tests/series/indexing/test_getitem.py Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * Fix build warning for use of `strdup` in ultrajson (pandas-dev#48369) * WEB: Update versions json to fix version switcher in the docs (pandas-dev#48655) * PERF: join/merge on subset of MultiIndex (pandas-dev#48611) * DOC: Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter (pandas-dev#48631) * Update documentation for date_range(), bdate_range(), and interval_range() to include timedelta as a possible data type for the freq parameter * Add test case for date_range construction using datetime.timedelta * TYP: tighten Axis (pandas-dev#48612) * TYP: tighten Axis * allow 'rows' * BUG: Fix metadata propagation in df.corr and df.cov, GH28283 (pandas-dev#48616) * Add finalize to df.corr and df.cov * Clean * TST: add test case for PeriodIndex in HDFStore(GH7796) (pandas-dev#48618) * TST: add test case for PeriodIndex in HDFStore * TST: add test case for PeriodIndex in HDFStore * use pytest.mark.parameterize instead * Add OpenSSF Scorecards GitHub Action (pandas-dev#48570) * Create scorecards.yml * Update scorecards.yml * Add OpenSSF Scorecards badge to README.md * Trim whitespace in scorecards.yml * Skip scorecards.yml on forks * Fix whitespace * Pin scorecards.yml dependencies to major versions * ENH: move an exception and add a prehook to check for exception place… (pandas-dev#48088) * ENH: move an exception and add a prehook to check for exception placement * ENH: fix import * ENH: revert moving error * ENH: add docstring and fix import for test * ENH: re-design approach based on feedback * ENH: update whatsnew rst * ENH: apply feedback changes * ENH: refactor to remove exception_warning_list and ignore _version.py * ENH: remove NotThisMethod from tests and all * REGR: TextIOWrapper raising an error in read_csv (pandas-dev#48651) * REGR: TextIOWrapper raising an error in read_csv * pyupgrade * do not try to seek on unseekable buffers * unseekable buffer might also have read ahead * safer alternative: do not mess with internal/private(?) buffer of TextIOWrapper (effectively applies the shortcut only to files pandas opens) * Fix scorecard.yml workflow (pandas-dev#48668) * Set scorecard-action to v2.0.3 scorecard-action does not have a major version tag. Temporarily disabling github.repository check to ensure action now works. * Enable github.repository check * BUG: DatetimeIndex ignoring explicit tz=None (pandas-dev#48659) * BUG: DatetimeIndex ignoring explicit tz=None * GH ref * Corrected pd.merge indicator type hint (pandas-dev#48677) * Corrected pd.merge indicator type hint https://pandas.pydata.org/docs/reference/api/pandas.merge.html It should be "str | bool" instead of just string * Update merge.py fixed type hint in merge.py * Update merge.py Update indicator type hint in _MergeOperation * Update merge.py Added type hint _MergeOperation init * DOC: Document default value for options.display.max_cols when not running in terminal (pandas-dev#48672) DOC: Document default value for options.display.max_cols display.max_cols has a default value of 20 when not running in a terminal such as Jupyter Notebook * ENH: DTA/TDA add datetimelike scalar with mismatched reso (pandas-dev#48669) * ENH: DTA/TDA add datetimelike scalar with mismatched reso * mypy fixup * REF: support reso in remaining tslibs helpers (pandas-dev#48661) * REF: support reso in remaining tslibs helpers * update setup.py * PERF: Avoid fragmentation of DataFrame in read_sas (pandas-dev#48603) * PERF: Avoid fragmentation of DataFrame in read_sas * Add whatsnew * Add warning * DOC: Add deprecation infos to deprecated functions (pandas-dev#48599) * DOC: Add deprecation infos to deprecated functions * Add sections * Fix * BLD: Build wheels using cibuildwheel (pandas-dev#48283) * BLD: Build wheels using cibuildwheel * update from code review Co-Authored-By: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * fix 3.11 version * changes from code review * Update test_wheels.py * sync run time with pandas-wheels Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> * REGR: Performance decrease in factorize (pandas-dev#48620) * TYP: type all arguments with str default values (pandas-dev#48508) * TYP: type all arguments with str default values * na_rep: back to str * na(t)_rep is always a string * add float for some functions * and the same for the few float default arguments * define a few more literal constants * avoid itertools.cycle mypy error * revert mistake * TST: Catch more pyarrow PerformanceWarnings (pandas-dev#48699) * REGR: to_hdf raising AssertionError with boolean index (pandas-dev#48696) * REGR: to_hdf raising AssertionError with boolean index * Add gh ref * REGR: Regression in DataFrame.loc when setting df with all True indexer (pandas-dev#48711) * BUG: pivot_table raising for nullable dtype and margins (pandas-dev#48714) * TST: Address MPL 3.6 deprecation warnings (pandas-dev#48695) * TST: Address MPL 3.6 deprecation warnings * Address min build * missing () Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> Co-authored-by: Ralf Gommers <ralf.gommers@gmail.com> Co-authored-by: Marc Garcia <garcia.marc@gmail.com> Co-authored-by: Luke Manley <lukemanley@gmail.com> Co-authored-by: Siddhartha Gandhi <siddhartha.a.gandhi@gmail.com> Co-authored-by: Torsten Wörtwein <twoertwein@users.noreply.github.com> Co-authored-by: Xiao Yuan <yuanx749@gmail.com> Co-authored-by: paradox-lab <57354735+paradox-lab@users.noreply.github.com> Co-authored-by: Pedro Nacht <15221358+pnacht@users.noreply.github.com> Co-authored-by: dataxerik <dsshar@gmail.com> Co-authored-by: jbrockmendel <jbrockmendel@gmail.com> Co-authored-by: Pablo <48098178+PabloRuizCuevas@users.noreply.github.com> Co-authored-by: tmoschou <5567550+tmoschou@users.noreply.github.com> Co-authored-by: Thomas Li <47963215+lithomas1@users.noreply.github.com> Co-authored-by: Richard Shadrach <45562402+rhshadrach@users.noreply.github.com>
Closes #48566
As per the linked issue, this PR adds the OpenSSF Scorecards GitHub Action, which automatically checks the repo's supply-chain security processes and reports results to the repo's Security dashboard.
I have also taken the liberty of adding a badge to the README.md displaying the project's score. This badge is strictly optional and can be easily removed, just say the word!