Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 10 additions & 19 deletions .github/workflows/python-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ name: bucketbase-package-build

on:
push:
branches: [ $default-branch, main ]
branches: [ master, main ]
paths-ignore:
- '**.md'
pull_request:
Expand All @@ -24,23 +24,19 @@ jobs:
python-version: [ "3.10", "3.11", "3.12", "3.13", "3.14" ]

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect checkout steps and nearby config.
rg -n -A4 -B1 'uses:\s*actions/checkout@' .github/workflows/python-package.yml

Repository: eSAMTrade/bucketbase

Length of output: 409


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/python-package.yml"

echo "== File: $FILE =="
echo "-- Checkout context around each actions/checkout@v6 --"
rg -n -A10 -B2 'uses:\s*actions/checkout@v6' "$FILE" || true

echo
echo "-- Search for persist-credentials anywhere in the workflow --"
rg -n 'persist-credentials' "$FILE" || true

Repository: eSAMTrade/bucketbase

Length of output: 1046


🌐 Web query:

actions/checkout v6 persist-credentials default value

💡 Result:

The default value of the input persist-credentials in actions/checkout v6 is true (i.e., credentials are persisted) unless you explicitly set persist-credentials: false. [1][2] Evidence: the actions/checkout README for v6 documents persist-credentials with “Default: true” and describes that the auth token is persisted in the local git config and removed during post-job cleanup; it also states you can opt out by setting persist-credentials: false. [1][2]

Citations:


Disable checkout credential persistence (keep the token on a short leash).

This workflow has two actions/checkout@v6 steps and neither sets persist-credentials: false; actions/checkout@v6 defaults to persisting credentials, increasing token exposure risk.

Suggested fix
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
...
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

Also applies to: 55-55

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 27-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-package.yml at line 27, The workflow uses
actions/checkout@v6 twice without disabling credential persistence; update both
checkout steps (the two occurrences of "uses: actions/checkout@v6") to include
persist-credentials: false in their step input block so the GITHUB_TOKEN is not
persisted to the workspace (add a persist-credentials: false key under each
checkout step).

- name: Install uv
uses: astral-sh/setup-uv@v5
uses: astral-sh/setup-uv@v8.1.0
with:
enable-cache: true
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
uses: actions/setup-python@v6
Comment on lines +27 to +33

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify tag-based action refs still exist in this workflow.
rg -n 'uses:\s*[^@]+@v' .github/workflows/python-package.yml

Repository: eSAMTrade/bucketbase

Length of output: 265


🏁 Script executed:

#!/bin/bash
sed -n '1,120p' .github/workflows/python-package.yml
rg -n "persist-credentials" .github/workflows/python-package.yml || true

Repository: eSAMTrade/bucketbase

Length of output: 2325


🌐 Web query:

actions/checkout@v6 persist-credentials default value

💡 Result:

For actions/checkout@v6, the persist-credentials input defaults to enabled (equivalent to true). actions/checkout persists the authentication token/credentials so that subsequent steps can run authenticated git commands, and it can be opted out with persist-credentials: false.[1][2] The action docs show the persist-credentials input as an empty default string (persist-credentials: ''), and the behavior described by the same docs indicates that omitting the input results in persisting credentials (i.e., the effective default is true).[1][2] In practice: if you do nothing, credentials are persisted; to disable, set: uses: actions/checkout@v6 with: persist-credentials: false This prevents the credentials from being persisted for later steps and is the documented opt-out.[1]

Citations:


Pin uses: action references to full commit SHAs + disable checkout token persistence.

Tag-based refs are used in .github/workflows/python-package.yml (lines 27-33 and again 55-57): actions/checkout@v6, astral-sh/setup-uv@v8.1.0, actions/setup-python@v6 — pin each to a commit SHA.

Also set with: persist-credentials: false on both actions/checkout@v6 steps to avoid persisting the default token/credentials (currently effective default is enabled).

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 27-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-package.yml around lines 27 - 33, Replace tag-based
action refs with specific commit SHAs for actions/checkout, astral-sh/setup-uv,
and actions/setup-python (e.g., change uses: actions/checkout@v6,
astral-sh/setup-uv@v8.1.0, actions/setup-python@v6 to their corresponding full
commit SHA pins) and add with: persist-credentials: false to the
actions/checkout steps to disable checkout token persistence; update both
occurrences of actions/checkout in the workflow, and ensure the commit-SHA
strings are used instead of version tags for the three referenced actions.

with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
env:
POETRY_VIRTUALENVS_PREFER_UV: "true"
run: |
uv pip install --system poetry
cd python
poetry lock
poetry install --with dev
uv sync --locked --all-extras --dev --python ${{ matrix.python-version }}
- name: Run tests
env:
MINIO_PUBLIC_SERVER: play.min.io
Expand All @@ -49,26 +45,22 @@ jobs:
MINIO_DEV_TESTS_BUCKET: bucketbase-test
run: |
cd python
poetry run python -m unittest discover -s tests -p "test_*.py" -v
uv run --locked python -m unittest discover -s tests -p "test_*.py" -v

build-container:
runs-on: ubuntu-latest
container:
image: python:3.12-bullseye
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v5
uses: astral-sh/setup-uv@v8.1.0
with:
enable-cache: true
- name: Install dependencies in container
env:
POETRY_VIRTUALENVS_PREFER_UV: "true"
run: |
uv pip install --system poetry
cd python
poetry lock
poetry install --with dev
uv sync --locked --all-extras --dev
- name: Run tests in container
env:
MINIO_PUBLIC_SERVER: play.min.io
Expand All @@ -77,5 +69,4 @@ jobs:
MINIO_DEV_TESTS_BUCKET: bucketbase-test
run: |
cd python
poetry run python -m unittest discover -s tests -p "test_*.py" -v

uv run --locked python -m unittest discover -s tests -p "test_*.py" -v
2,278 changes: 0 additions & 2,278 deletions python/poetry.lock

This file was deleted.

10 changes: 0 additions & 10 deletions python/poetry.toml

This file was deleted.

82 changes: 52 additions & 30 deletions python/pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,36 +1,43 @@
[tool.poetry]
[project]
name = "bucketbase"
version = "1.6.0" # do not edit manually. kept in sync with `tool.commitizen` config via automation

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Version is in split-brain mode.

Line 3 and Line 88 disagree (1.6.0 vs 1.2.3) while both claim automated sync. This can skew tagging/changelog/release metadata.

Suggested fix
 [tool.commitizen]
 name = "cz_conventional_commits"
-version = "1.2.3"  # do not edit manually. kept in sync with `project` config via automation
+version = "1.6.0"  # do not edit manually. kept in sync with `project` config via automation
 tag_format = "v$version"

Also applies to: 88-88

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@python/pyproject.toml` at line 3, The pyproject.toml contains conflicting
version values for the "version" key (one as 1.6.0 and another as 1.2.3);
reconcile them so the file has a single canonical version that matches your
automated source (tool.commitizen) by updating the discrepant "version" entry to
the correct release value and ensure any automation that syncs with
tool.commitizen is configured to update this same "version" key consistently.

description = "bucketbase"
authors = ["Andrei Suiu <andrei.suiu@gmail.com>"]
repository = "https://github.com/asuiu/bucketbase"
authors = [{ name = "Andrei Suiu", email = "andrei.suiu@gmail.com" }]
readme = "README.py.md"
license = "MIT"
requires-python = ">=3.10,<4.0.0"
dependencies = [
"streamerate>=1.2.1,<1.2.7; python_version < '3.11'",
"streamerate>=1.2.1; python_version >= '3.11'",
"pyxtension>=1.17.1",
"filelock>=3.20.0",
"exceptiongroup>=1.0.0; python_version < '3.11'",
"typing-extensions>=4.0.0",
]

[project.urls]
Repository = "https://github.com/asuiu/bucketbase"

[tool.poetry.dependencies]
python = ">=3.10,<4.0.0"
requests = ">=2.25.1"
streamerate = ">=1.2.1"
pyxtension = ">=1.17.1"
StrEnum = ">=0.4.0"
filelock = ">=3.20.0"
minio = { version = ">=7.2.4,<=8.0.0", optional = true }
multiminio = { version = ">=1.0.2", optional = true }
exceptiongroup = { version = ">=1.0.0", python = "<3.11" }

[tool.poetry.extras]
minio = ["minio", "multiminio"]

[tool.poetry.group.dev.dependencies]
pytest = "^8.3.5"
minio = "^7.2.18"
multiminio = "^1.0.2"
tsx = ">=0.2.14"
pyarrow = ">=21.0.0"
twine = ">=6.1.0"
pre-commit = ">=4.3.0"
mypy = "^1.18.2"
psutil = "^7.1.3"
[project.optional-dependencies]
minio = [
"certifi>=2024.0.0",
"minio>=7.2.4,<=8.0.0",
"multiminio>=1.0.2",
"packaging>=23.0",
"urllib3>=1.26.0",
]

[dependency-groups]
dev = [
"minio>=7.2.18,<8.0.0",
"multiminio>=1.0.2,<2.0.0",
"packaging>=23.0",
"tsx>=0.2.14",
"pyarrow>=21.0.0",
"twine>=6.1.0",
"pre-commit>=4.3.0",
"psutil>=7.1.3,<8.0.0",
]

[tool.black]
line-length = 160
Expand Down Expand Up @@ -78,7 +85,7 @@ sections = ["FUTURE", "STDLIB", "THIRDPARTY", "FIRSTPARTY", "LOCALFOLDER"]

[tool.commitizen]
name = "cz_conventional_commits"
version = "1.2.3" # do not edit manually. kept in sync with `tool.poetry` config via automation
version = "1.2.3" # do not edit manually. kept in sync with `project` config via automation
tag_format = "v$version"

# Same as Black.
Expand All @@ -92,6 +99,21 @@ exclude_also = [
"if TYPE_CHECKING:"
]

[tool.hatch.build.targets.wheel]
packages = ["bucketbase"]

[tool.hatch.build.targets.sdist]
include = [
"/.pytest.ini",
"/README.py.md",
"/bucketbase",
"/pyproject.toml",
"/tests",
"/upload.bat",
"/upload.sh",
"/uv.lock",
]

[build-system]
requires = ["poetry>=1.3"]
build-backend = "poetry.masonry.api"
requires = ["hatchling"]
build-backend = "hatchling.build"
4 changes: 2 additions & 2 deletions python/upload.bat
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
del .\dist\*.whl
del .\dist\*.gz
poetry build
twine upload dist/*.whl --verbose
uv build
uv run twine upload dist/*.whl --verbose
Comment on lines +3 to +4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm there is no explicit error handling in upload.bat today.
nl -ba python/upload.bat
rg -n 'if errorlevel|\|\| exit /b' python/upload.bat

Repository: eSAMTrade/bucketbase

Length of output: 105


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== python/upload.bat (with line numbers) ==="
awk '{printf "%4d  %s\n", NR, $0}' python/upload.bat

echo
echo "=== Search for fail-fast / error propagation patterns ==="
rg -n --hidden --no-ignore-vcs 'if +errorlevel|errorlevel|exit */b|\\|\\| *exit */b|\\bexit\\b' python/upload.bat || true

Repository: eSAMTrade/bucketbase

Length of output: 313


Make the Windows publish path fail-fast.

Right now python/upload.bat runs uv build (line 3) and then always runs the twine upload step (line 4), with no success gating—so a build failure can still lead to uploading stale/bad artifacts.

Suggested fix
-uv build
-uv run twine upload dist/*.whl --verbose
+uv build || exit /b 1
+uv run twine upload dist/*.whl --verbose || exit /b 1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uv build
uv run twine upload dist/*.whl --verbose
uv build || exit /b 1
uv run twine upload dist/*.whl --verbose || exit /b 1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@python/upload.bat` around lines 3 - 4, The batch script runs "uv build" then
always runs "twine upload", which can upload when the build failed; modify
python/upload.bat so the upload step is gated on a successful build: after
running the "uv build" command (refer to the existing uv build invocation) check
its exit status and exit the script immediately if it failed (or use a
conditional chain so "twine upload dist/*.whl --verbose" only executes on
success), preserving the existing twine command and verbose flag.

8 changes: 5 additions & 3 deletions python/upload.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
#!/bin/bash
rm ./dist/*.whl
poetry build
twine upload dist/*.whl
set -euo pipefail

rm -f ./dist/*.whl ./dist/*.tar.gz
uv build
uv run twine upload dist/*.whl --verbose
Loading
Loading