Squashed '.github/actions/gh-action-pip-audit/' changes from 9075e938…

…d..d499194be d499194be README: prep 1.0.8 cf52d21d8 Remove pin on requests (fixes #41) (#42) 3ac8fed01 README: prep 1.0.7 (#40) f7e969538 requirements: constrain requests below 2.30 (#39) 28aa5e1be New issue templates (#37) 1abec09c8 action: replace `internal-be-careful-debug` (#36) 75edeacda README: prep 1.0.6 (#34) 666b1b883 Check that output file exists before opening (#33) git-subtree-dir: .github/actions/gh-action-pip-audit git-subtree-split: d499194be74aeb3bc7dbed3a224a87e1831132c7
apache · Jul 31, 2023 · 21f6883 · 21f6883
1 parent 3bc7b0b
commit 21f6883
Show file tree

Hide file tree

Showing 9 changed files with 197 additions and 49 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,64 @@
+name: Bug report
+description: Report a bug with pip-audit's GitHub Action
+labels: bug
+body:
+  - type: markdown
+    attributes:
+      value: >-
+        Thank you for reporting a potential bug in `gh-action-pip-audit`! Please
+        read the following carefully:
+
+
+        **IMPORTANT:** This issue tracker is for `pip-audit`'s
+        **GitHub Action**, the scaffolding that integrates `pip-audit` with your
+        CI. If the buggy behavior you are experiencing appears to be in
+        `pip-audit`, please file an issue
+        [against the `pip-audit` repo](https://github.com/pypa/pip-audit/issues/new/choose).
+
+
+        **IMPORTANT:** Please fill out every section below. Bug reports with
+        missing information will be given a lower priority or closed outright.
+
+
+        Before filing an issue, check out our
+        [troubleshooting guide](https://github.com/pypa/gh-action-pip-audit#troubleshooting) :)
+  - type: textarea
+    id: current-behavior
+    attributes:
+      label: Current behavior
+      description: >-
+        What issue are you having with the action? What were you trying to do
+        when the issue occurred?
+      placeholder: The action run succeeds when I ...
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: What should've happened instead?
+      placeholder: I expected the action run to fail.
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Steps to reproduce
+      description: What are the detailed steps we can follow to trigger this issue?
+      placeholder: |-
+        1. ...
+        2. ...
+        3. ...
+    validations:
+      required: true
+  - type: textarea
+    id: context
+    attributes:
+      label: Relevant context
+      description: >-
+        Please include a link to an action run, as well as any logs that you think might
+        be helpful! You can
+        [follow these instructions](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow)
+        to re-run the action with debug logging.
+    validations:
+      required: true
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: pip-audit's issue tracker
+    url: https://github.com/pypa/pip-audit/issues/new/choose
+    about: >-
+      You may want to file a report on pip-audit instead if your issue is not
+      directly related to this GitHub Action
+  - name: Troubleshooting guide
+    url: https://github.com/pypa/gh-action-pip-audit#troubleshooting
+    about: >-
+      Learn how to fix some common issues or enable debug logging here
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,50 @@
+name: Feature request
+description: Suggest an idea for pip-audit's GitHub Action
+labels: enhancement
+body:
+  - type: markdown
+    attributes:
+      value: >-
+        Thank you for filing a feature request for `gh-action-pip-audit`! Please
+        read the following carefully:
+
+
+        **IMPORTANT:** This form is for `pip-audit`'s **GitHub Action**, the
+        scaffolding that integrates `pip-audit` with your CI. If you would like
+        a new feature in `pip-audit` itself, please go to
+        [the `pip-audit` repo](https://github.com/pypa/pip-audit/issues/new/choose).
+
+
+        **IMPORTANT:** Please fill out every required section below to the best
+        of your ability. Feature requests with missing information may be given
+        a lower priority or closed outright.
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: Describe how the current solution is deficient.
+      placeholder: I am frustrated when ...
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like
+      description:
+      placeholder: I think gh-action-pip-audit would benefit from ...
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives-considered
+    attributes:
+      label: Alternative solutions or features you've considered
+      description:
+      placeholder:
+    validations:
+      required: true
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Add any context or screenshots related to the feature request.
+      placeholder:
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -88,3 +88,21 @@ jobs:
           PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
         run: |
           grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+  selftest-pipaudit-fail:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./
+        id: pip-audit
+        with:
+          # we do not care about pip-audit's actual output in this test, we just need a file to pass
+          # in so as to not exercise `pip list` mode.
+          inputs: ./test/empty.txt
+          # pass in a fake flag here to reliably trigger the failure we're looking for.
+          internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+          internal-be-careful-allow-failure: true
+      - name: assert expected output
+        env:
+          PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
+        run: |
+          grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: install
         run: python -m pip install .
-      - uses: pypa/[email protected].5
+      - uses: pypa/[email protected].8
 ```
 
 Or, with a virtual environment:
@@ -48,7 +48,7 @@ jobs:
           python -m venv env/
           source env/bin/activate
           python -m pip install .
-      - uses: pypa/[email protected].5
+      - uses: pypa/[email protected].8
         with:
           virtual-environment: env/
 ```
@@ -72,15 +72,15 @@ The `inputs` setting controls what sources `pip-audit` runs on.
 To audit one or more requirements-style inputs:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     inputs: requirements.txt dev-requirements.txt
 ```
 
 To audit a project that uses `pyproject.toml` for its dependencies:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     # NOTE: this can be `.`, for the current directory
     inputs: path/to/project/
@@ -108,7 +108,7 @@ Example: use the virtual environment specified at `env/`, relative to the
 current directory:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     virtual-environment: env/
     # Note the absence of `input:`, since we're auditing the environment.
@@ -128,7 +128,7 @@ installed directly into the current environment are included.
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     local: true
 ```
@@ -145,7 +145,7 @@ It's directly equivalent to `pip-audit --vulnerability-service=...`.
 To audit with OSV instead of PyPI:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     vulnerability-service: osv
 ```
@@ -160,7 +160,7 @@ It's directly equivalent to `pip-audit --require-hashes ...`.
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -177,7 +177,7 @@ It's directly equivalent to `pip-audit --no-deps ...`.
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -195,7 +195,7 @@ is rendered at the end of the action.
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     summary: false
   ```
@@ -214,7 +214,7 @@ indices to search (such as a corporate index with private packages), see
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     index-url: https://example.corporate.local/simple
 ```
@@ -229,7 +229,7 @@ indexes to search when resolving dependencies. Each URL is whitespace-separated.
 Example:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     extra-index-urls: |
       https://example.corporate.local/simple
@@ -246,7 +246,7 @@ ignore (i.e., exclude from the results) if present. Each ID is whitespace-separa
 Example
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     ignore-vulns: |
       GHSA-XXXX-YYYYYY
@@ -276,29 +276,24 @@ Example
   Example:
 
   ```yaml
-  - uses: pypa/[email protected].5
+  - uses: pypa/[email protected].8
     with:
       internal-be-careful-allow-failure: true
   ```
 
-  #### `internal-be-careful-debug`
+#### `internal-be-careful-extra-flags`
+**Default**: `""`
 
-  **Default**: `false`
-
-  The `internal-be-careful-debug` setting enables additional debug logs,
-  both within `pip-audit` itself and the action's harness code. You can
-  use it to debug troublesome configurations.
+The `internal-be-careful-extra-flags` setting passes the specified flags
+to `pip-audit`.
 
-  Be mindful that `pip-audit`'s own debug logs contain HTTP requests,
-  which may or may not be sensitive in your use case.
-
-  Example:
+Example:
 
-  ```yaml
-  - uses: pypa/[email protected].5
-    with:
-      internal-be-careful-debug: true
-  ```
+```yaml
+- uses: pypa/[email protected].8
+  with:
+    internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+```
 
 </details>
 
@@ -312,7 +307,7 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 `require-hashes: true`:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     inputs: requirements.txt
     require-hashes: true
@@ -321,7 +316,7 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 or:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     inputs: requirements.txt
     no-deps: true
@@ -342,7 +337,7 @@ by the host system itself, or other Python projects that happen to be installed.
 To minimize external dependencies, you can opt into a virtual environment:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     # must be populated earlier in the CI
     virtual-environment: env/
@@ -352,13 +347,19 @@ and, more aggressively, specify that only dependencies marked as "local"
 in the virtual environment should be included:
 
 ```yaml
-- uses: pypa/[email protected].5
+- uses: pypa/[email protected].8
   with:
     # must be populated earlier in the CI
     virtual-environment: env/
     local: true
 ```
 
+### There's an issue with the action and I want to enable debug logging!
+
+The action prints debug information when the `ACTIONS_STEP_DEBUG` secret is set
+to `true``. You should be able to enable this behavior by
+[following these instructions](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs#re-running-all-the-jobs-in-a-workflow).
+
 ## Tips and Tricks
 
 ### Running against a pipenv project
@@ -382,7 +383,7 @@ jobs:
         run: |
           pipx run pipfile-requirements Pipfile.lock > requirements.txt
 
-      - uses: pypa/[email protected].5
+      - uses: pypa/[email protected].8
         with:
           inputs: requirements.txt
 ```