From 4415a78761bdef8d68061cc631c9ce434f798a00 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 01:23:19 +0000 Subject: [PATCH 1/7] ci: add GitHub Actions scanner --- .github/workflows/changelog.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 38dc558..f9abe6c 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -24,12 +24,11 @@ jobs: -o "$HOME/.local/bin/changelogs" echo "d4168ee68b612224a26a39e86bfd2c923ac3dd2de12ee43d2bb65a5ea19df6b6 $HOME/.local/bin/changelogs" | sha256sum -c chmod +x "$HOME/.local/bin/changelogs" - - name: Install Claude CLI - run: npm install -g @anthropic-ai/claude-code@2.1.97 - name: Generate changelog env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} BASE_REF: ${{ github.base_ref }} + CLAUDE: npx -y @anthropic-ai/claude-code@2.1.97 --bare -p run: | rm -rf .claude/ CHANGED=$(git diff --name-only "origin/${BASE_REF}...HEAD") @@ -38,7 +37,7 @@ jobs: echo "No code changes requiring changelog, skipping" exit 0 fi - ~/.local/bin/changelogs add --ecosystem python --ai "claude --bare -p" --ref "origin/${BASE_REF}" + ~/.local/bin/changelogs add --ecosystem python --ai "$CLAUDE" --ref "origin/${BASE_REF}" - name: Commit changelog env: GH_TOKEN: ${{ github.token }} From 2fb7422cabfbaf1b8f6d2462b10dae12ea97654a Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 01:23:20 +0000 Subject: [PATCH 2/7] ci: add GitHub Actions scanner --- .github/workflows/conformance.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 98bc8bc..6ef3b67 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -22,7 +22,7 @@ concurrency: jobs: conformance-policy: - uses: tempoxyz/mpp-tools/.github/workflows/sdk-conformance-policy.yml@main + uses: tempoxyz/mpp-tools/.github/workflows/sdk-conformance-policy.yml@924710544d534332220d164bfa5747340bb85f93 with: protocol-paths: | src/** @@ -31,7 +31,7 @@ jobs: conformance: needs: conformance-policy - uses: tempoxyz/mpp-tools/.github/workflows/sdk-conformance.yml@main + uses: tempoxyz/mpp-tools/.github/workflows/sdk-conformance.yml@924710544d534332220d164bfa5747340bb85f93 with: adapter: python conformance-ref: ${{ needs.conformance-policy.outputs.conformance_ref }} From 2a0d3b9a21d5653dca814d1dee98f517e26f93e1 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 01:23:22 +0000 Subject: [PATCH 3/7] ci: add GitHub Actions scanner --- .github/workflows/scan-github-actions.yml | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/scan-github-actions.yml diff --git a/.github/workflows/scan-github-actions.yml b/.github/workflows/scan-github-actions.yml new file mode 100644 index 0000000..6737d81 --- /dev/null +++ b/.github/workflows/scan-github-actions.yml @@ -0,0 +1,24 @@ +name: Scan GitHub Actions + +on: + pull_request: + paths: + - ".github/**" + push: + branches: + - main + paths: + - ".github/**" + workflow_dispatch: + schedule: + - cron: "19 7 * * 1" + +permissions: + contents: read + +jobs: + scan: + name: Scan GitHub Actions + uses: tempoxyz/gh-actions/.github/workflows/scan-github-actions.yml@512158c4e90e42eef8aa7fc3fc3186a79b5b4648 + permissions: + contents: read From a4bfaf08524e9f5903d35ffba2b80a11343fc9d3 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 05:09:49 +0000 Subject: [PATCH 4/7] ci: allow GitHub Actions scanner to read actions metadata --- .github/workflows/scan-github-actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-github-actions.yml b/.github/workflows/scan-github-actions.yml index 6737d81..c72b073 100644 --- a/.github/workflows/scan-github-actions.yml +++ b/.github/workflows/scan-github-actions.yml @@ -13,12 +13,12 @@ on: schedule: - cron: "19 7 * * 1" -permissions: - contents: read +permissions: {} jobs: scan: name: Scan GitHub Actions uses: tempoxyz/gh-actions/.github/workflows/scan-github-actions.yml@512158c4e90e42eef8aa7fc3fc3186a79b5b4648 permissions: + actions: read contents: read From 84cfe4a7eacbac9319fe2949514a491842e5065c Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 05:12:43 +0000 Subject: [PATCH 5/7] ci: fix GitHub Actions scanner findings From 6712f4b120a4143d391949a7b7b0e39134bca2b3 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 05:12:44 +0000 Subject: [PATCH 6/7] ci: fix GitHub Actions scanner findings --- .github/workflows/pr-audit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-audit.yml b/.github/workflows/pr-audit.yml index ef2e84d..b2a7d63 100644 --- a/.github/workflows/pr-audit.yml +++ b/.github/workflows/pr-audit.yml @@ -38,7 +38,8 @@ jobs: echo "$EVENTS_KEY" > "$RUNNER_TEMP/key" echo "$EVENTS_CERT" > "$RUNNER_TEMP/cert" - curl -sf -o /dev/null -X POST ${EVENTS_ARGS} \ + read -r -a events_args <<< "${EVENTS_ARGS:-}" + curl -sf -o /dev/null -X POST "${events_args[@]}" \ -H "Content-Type: application/json" \ --key "$RUNNER_TEMP/key" \ --cert "$RUNNER_TEMP/cert" \ From 6e28dcb51f2dfff046951fcf0757a5a14d32aa16 Mon Sep 17 00:00:00 2001 From: Derek Cofausper <256792747+decofe@users.noreply.github.com> Date: Thu, 9 Jul 2026 05:12:45 +0000 Subject: [PATCH 7/7] ci: fix GitHub Actions scanner findings --- .github/workflows/ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 42a426d..a29d9cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: - name: Add venv to PATH if: matrix.python-version == '3.12' - run: echo "$PWD/.venv/bin" >> $GITHUB_PATH + run: echo "$PWD/.venv/bin" >> "$GITHUB_PATH" - name: Type check if: matrix.python-version == '3.12' @@ -74,11 +74,11 @@ jobs: env: PYTHON_VERSION: ${{ matrix.python-version }} run: | - COV_REPORTS="--cov-report=term-missing" + cov_reports=(--cov-report=term-missing) if [[ "$PYTHON_VERSION" == "3.12" ]]; then - COV_REPORTS="$COV_REPORTS --cov-report=xml:coverage.xml --cov-report=html:htmlcov" + cov_reports+=(--cov-report=xml:coverage.xml --cov-report=html:htmlcov) fi - uv run pytest -v --cov=mpp $COV_REPORTS --cov-fail-under=90 + uv run pytest -v --cov=mpp "${cov_reports[@]}" --cov-fail-under=90 - name: Upload coverage artifacts if: always() && matrix.python-version == '3.12' @@ -115,7 +115,7 @@ jobs: - name: Resolve Tempo image digest id: tempo-digest run: | - digest=$(docker buildx imagetools inspect ghcr.io/tempoxyz/tempo:${TEMPO_TAG} --raw | sha256sum | cut -d' ' -f1) + digest=$(docker buildx imagetools inspect "ghcr.io/tempoxyz/tempo:${TEMPO_TAG}" --raw | sha256sum | cut -d' ' -f1) echo "digest=${digest}" >> "$GITHUB_OUTPUT" - name: Cache Tempo Docker image @@ -132,8 +132,8 @@ jobs: - name: Pull and cache Tempo image if: steps.docker-cache.outputs.cache-hit != 'true' run: | - docker pull ghcr.io/tempoxyz/tempo:${TEMPO_TAG} - docker save ghcr.io/tempoxyz/tempo:${TEMPO_TAG} -o /tmp/tempo-image.tar + docker pull "ghcr.io/tempoxyz/tempo:${TEMPO_TAG}" + docker save "ghcr.io/tempoxyz/tempo:${TEMPO_TAG}" -o /tmp/tempo-image.tar - name: Start Tempo devnet and Redis run: docker compose up -d --wait