From fd1b080e379524cc966a6abf3818d84175b90bab Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Wed, 27 Aug 2025 11:50:09 -0700 Subject: [PATCH 1/3] sync pre-commit, workflow bandit versions (manually) --- .github/dependabot.yml | 4 ++++ .github/workflows/bandit.yml | 7 ++++++- .pre-commit-config.yaml | 4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2c0c083008..f16a3fb66d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,3 +19,7 @@ updates: applies-to: version-updates patterns: ["*"] update-types: ["minor", "patch"] + + # Prevent updates for the Bandit Action; we manage it manually according to corp policies + ignore: + - dependency-name: "PyCQA/bandit-action" diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 46663929f6..c57ffd351f 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -20,4 +20,9 @@ jobs: security-events: write steps: - name: Perform Bandit Analysis - uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de + # KEEP IN SYNC WITH bandit rev in .pre-commit-config.yaml + # Current runner uses Python 3.8, so the action installs bandit==1.7.10 + # via `pip install bandit[sarif]`. If runner Python moves to >=3.9, + # the action will resolve to 1.8.x and you'll need to bump pre-commit. + # (Bandit >=1.8.0 dropped Python 3.8 via Requires-Python metadata.) + uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de # v1.0.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4da2dddef3..db3f4a0f1b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,7 +9,6 @@ ci: autoupdate_branch: '' autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate' autoupdate_schedule: quarterly - skip: [bandit] submodules: false # Please update the rev: SHAs below with this command: @@ -66,7 +65,8 @@ repos: - id: rst-inline-touching-normal - repo: https://github.com/PyCQA/bandit - rev: 2d0b675b04c80ae42277e10500db06a0a37bae17 # frozen: 1.8.6 + # KEEP IN SYNC WITH .github/workflows/bandit.yml + rev: "36fd65054fc8864b4037d0918904f9331512feb5" # frozen: 1.7.10 hooks: - id: bandit args: From 612f86b5956f22062f8051f00ffb024ea4855dac Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Thu, 28 Aug 2025 08:49:58 -0700 Subject: [PATCH 2/3] Move `KEEP IN SYNC` comment on `rev` line, to make it more likely that it does not get overlooked after running `pre-commit autoupdate --freeze` --- .pre-commit-config.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index db3f4a0f1b..d65ffce912 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -65,8 +65,7 @@ repos: - id: rst-inline-touching-normal - repo: https://github.com/PyCQA/bandit - # KEEP IN SYNC WITH .github/workflows/bandit.yml - rev: "36fd65054fc8864b4037d0918904f9331512feb5" # frozen: 1.7.10 + rev: "36fd65054fc8864b4037d0918904f9331512feb5" # frozen: 1.7.10 KEEP IN SYNC WITH .github/workflows/bandit.yml hooks: - id: bandit args: From 1446e33c79fc0886b0743dfbff55948fb510a061 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Wed, 3 Sep 2025 10:36:37 -0700 Subject: [PATCH 3/3] Undo change in .github/dependabot.yml (see https://github.com/NVIDIA/cuda-python/pull/913#discussion_r2319684758) --- .github/dependabot.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f16a3fb66d..2c0c083008 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,7 +19,3 @@ updates: applies-to: version-updates patterns: ["*"] update-types: ["minor", "patch"] - - # Prevent updates for the Bandit Action; we manage it manually according to corp policies - ignore: - - dependency-name: "PyCQA/bandit-action"