[CORE-357] add dependabot linear ticket workflow#2
Conversation
Fix changelog spelling mistakes By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Update CHANGELOG.rst for 1.26.4.json
We received customer feedback that our stale issue timings are too tight. This doubles what we had previously.
fix typo, (mysack -> mystack)
Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version. - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@9.0.0...24.0) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
The latest issue is that installing the older version will now pull in a version of numpy that doesn't have pre-built wheels which results in the test attempting to build numpy which fails. I've also updated the error message to print a more verbose error to make it quicker to troubleshoot.
Newer macOS runners are resulting in no pre-built whl being available.
PR aws#2092 * dependabot/pip/pip-gte-9-and-lt-24.1: Add changelog entry for version bump Bump min version on cryptography package test Bump min version supported by Pandas tests Update pip requirement from <23.4,>=9 to >=9,<24.1
This takes the original PR and adds checks for symlink and absolute paths. This brings it more in line with the `data` arg for Python 3.12's `filter` arg does.
PR aws#1990 * TrellixVulnTeam/master: Update tar validation to also check for abspath and symlinks Adding tarfile member sanitization to extractall()
* patch-2: Update CHANGELOG.rst
PR aws#2085 * patch-1: Update CHANGELOG.rst for 1.26.4.json
As part of this change I switched the template over to markdown. This lets all the recent changelog links to issues/PRs get properly linked (they weren't being rendered as links in restructured text). This issue was introduced in the latest release which pulled in the latest version of jmeslog which changed the default template being used. We now use an explicit template to control against this.
Update cd.rst
chore: relax stale issue timings
PR aws#2107 * fix-changelog-render: Fix new lines on rendered changelog
Updates the requirements on [pip](https://github.com/pypa/pip) to permit the latest version. - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@9.0.0...24.2) --- updated-dependencies: - dependency-name: pip dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
If distutils is imported before pip outside of a `setup.py`, you see a deprecation warning about distutils. This was caused by a depdency we use, `inquirer`, using a dependency that used distutils. Upgrading to the latest major version of `inquirer` fixes this issue, which no longer depends on the affected package. As a result, we no longer see this warning message when running `chalice package` or `chalice deploy`. This triggered several other dependencies that needed to be updated, which resulted in a few cosmetic code tweaks to make pylint happy.
Fix distutils warning when packaging/deploying apps
Missed this in the previous PR.
…24.3 Update pip requirement from <24.1,>=9 to >=9,<24.3
Drop support for Python 3.8
Add support for Python 3.13
Update docs generation script
* Drop support for Python 3.9 * Update CI to use Node v24 * Pin NumPy in packaging smoke tests * Fix changelog entry typo * Fix changelog link; Simplify diff * Update version in .python-version
* Fix a number of typos * Update local.py * Fix line too long linting error --------- Co-authored-by: jonathan343 <43360731+jonathan343@users.noreply.github.com>
* Drop support for Python 3.9 * Fix changelog link; Simplify diff * Add support for Python 3.14 - Map python3.14 to cp314 with AL2023 glibc (2.34) in the packager, add it to runtime classifiers, docs, CI, and test gates - Replace removed ast.Str usage in the static analyzer with ast.Constant - Bump the v2 pipeline CodeBuild image to amazonlinux2023-x86_64-standard:5.0 so the runtime is available - Update pip to the latest version (<26.2) - Expand the pip --platform list emitted when downloading manylinux wheels so newer manylinux_2_X profiles are accepted; pip treats --platform as a literal tag and won't extrapolate, so we enumerate every glibc minor up to the runtime's. Required for Python 3.14 wheels of pandas/numpy/scipy, which only ship as manylinux_2_24+ - Bump pandas/numpy versions in the packaging integration test to ones that publish cp314 wheels * Clean up packaging smoke test version pins
* Fix link to chalice logo * Remove Gitter links and add version links * Make code examples consistent; Update boto3 link * Use https for links; Make example output consistent * Revert chalice new-project syntax to match real syntax * update incorrect arn in quickstart --------- Co-authored-by: amar <amarjandu@specterbyte.com>
* Harden GitHub Actions workflows Pin actions to commit SHAs, scope GITHUB_TOKEN to least privilege, disable credential persistence on checkout, and slow stale-issue cron from hourly to daily. * Add dependabot 7 day cooldown * Add github-actions to dependabot
* Improve changelog rendering format Group changelog entries by change type, add a fallback section for unknown types, and re-render CHANGELOG.md. Also convert legacy reStructuredText-style links in historical change fragments to Markdown. * Fix changelog upgrade note links * Change link from awslabs to aws
Honors --since when running chalice logs without --follow by passing startTime through the CloudWatch log paginator, and adds a regression test plus jmeslog entry.
Co-authored-by: Cursor <cursoragent@cursor.com>
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| # If we're dealing with a member that's some type of link, ensure | ||
| # it doesn't point to anything outside of the destination dir. | ||
| if member.islnk() or member.issym(): | ||
| if os.path.abspath(member.linkname): |
There was a problem hiding this comment.
Conditional if os.path.abspath(member.linkname): is always true, so subsequent link-handling code is unreachable; remove or correct the condition.
| if os.path.abspath(member.linkname): | |
| if os.path.isabs(member.linkname): |
Details
✨ AI Reasoning
The added tar extraction safety code introduces a check if os.path.abspath(member.linkname): which invokes os.path.abspath and tests its truthiness. os.path.abspath returns an absolute path string even for relative inputs, which is always truthy (non-empty). Therefore this conditional always passes and immediately raises a RuntimeError, making the rest of the link-handling branch (resolving link targets and additional checks) unreachable. This is a local, provable property (no dependence on external mutable state), and was introduced by the PR changes to _validate_single_tar_member.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| # it doesn't point to anything outside of the destination dir. | ||
| if member.islnk() or member.issym(): | ||
| if os.path.abspath(member.linkname): | ||
| raise RuntimeError(f"Symlink to abspath: {member.linkname}") |
There was a problem hiding this comment.
Tar symlink check rejects all links
Medium Severity
New tar safety validation treats any symlink or hardlink as forbidden because os.path.abspath on a relative linkname is always a non-empty absolute path. Legitimate sdists that include in-archive symlinks fail during extract_tarfile with “Symlink to abspath” instead of being extracted.
Reviewed by Cursor Bugbot for commit 3687ff7. Configure here.
Co-authored-by: Cursor <cursoragent@cursor.com>
| name = member.name | ||
| dest_path = os.path.realpath(unpack_dir) | ||
| if name.startswith(('/', os.sep)): | ||
| name = member.path.lstrip('/' + os.sep) |
There was a problem hiding this comment.
TarInfo.path missing Python 3.10
Medium Severity
Absolute-path tar members use member.path, which exists only from Python 3.12. CI still runs 3.10–3.11, so those archives can raise AttributeError during validation instead of a controlled error, breaking packaging on supported runtimes.
Reviewed by Cursor Bugbot for commit 98850fc. Configure here.
Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit dd754d2. Configure here.
| issues: write | ||
| steps: | ||
| - uses: aws-actions/stale-issue-cleanup@v4 | ||
| - uses: aws-actions/stale-issue-cleanup@0604f2edf84a3a66bc0dfb4a30eb07814cbdf440 # v7.1.1 |
There was a problem hiding this comment.
Stale notice says five days
Low Severity
The stale-issue comment still tells contributors inactivity has lasted “longer than five days,” but this commit raised days-before-stale to 10. Issue authors get misleading timing relative to when the closing-soon label and auto-close actually run.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit dd754d2. Configure here.
10 participants
Context
Adds a workflow that automatically creates a Linear ticket for each new Dependabot PR, using the shared
dependabot-linear-ticketaction frombenepass/github-actions.Additional notes & discussion
pull_request: types: [opened]filtered todependabot[bot], so the action fires exactly once per new Dependabot PRLINEAR_API_KEYfrom organization secrets andLINEAR_CORE_TEAM_IDfrom repository variables (CORE team for this backend Python repo)Concerns & next steps
LINEAR_CORE_TEAM_IDis set as a repository or organization variable in GitHub Actions settingsMade with Cursor
Note
Medium Risk
Touches Lambda runtime mapping, dependency packaging, and deployment templates for SQS event sources; incorrect behavior could affect deploys and log retrieval, though changes are mostly additive or CI/docs.
Overview
This PR is a broad release and maintenance update (bumps to 1.33.0), not only the Dependabot automation described in the title.
CI and repo hygiene: Adds Create Linear ticket for Dependabot PR, which runs on
pull_requestopenedfordependabot[bot]and calls the shareddependabot-linear-ticketaction with Linear OAuth secrets andLINEAR_CORE_TEAM_ID. Dependabot moves to weekly schedules with grouping/cooldown; run-tests drops Python 3.8–3.9, adds 3.13–3.14, pins checkout/setup actions, and bumps Node for CDK tests; stale-issue timing and permissions are adjusted.Runtime and packaging: Lambda runtime selection now targets Python 3.10–3.14 (drops 3.8/3.9 mapping). Wheel/ABI handling adds cp313/cp314, updates glibc assumptions, and expands manylinux
--platformlists for pip downloads. Tar extraction validates members so paths and symlinks cannot escape the destination directory.Product behavior:
on_sqs_messagegains optionalmaximum_concurrency, wired through deploy, CloudFormation/SAM, Terraform, and LambdaScalingConfig.chalice logspassesstartTimeto CloudWatch when--sinceis set without--follow. The policy analyzer usesast.Constantfor string literals instead of removedast.Str.Changelog/docs: Replaces
CHANGELOG.rstwithCHANGELOG.md, adds a Jinja changelog template, normalizes issue links in.changes/*.json, and refreshes README/contributing for supported Python versions.Reviewed by Cursor Bugbot for commit dd754d2. Bugbot is set up for automated code reviews on this repo. Configure here.