Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix synk security scan on CI #4875

Merged
merged 14 commits into from
Aug 20, 2024
Merged

fix synk security scan on CI #4875

merged 14 commits into from
Aug 20, 2024

Conversation

joeyorlando
Copy link
Contributor

@joeyorlando joeyorlando commented Aug 20, 2024
edited
Loading

Which issue(s) this PR closes

Closes #4503
Closes https://github.com/grafana/oncall-private/issues/2876

Checklist

  • Unit, integration, and e2e (if applicable) tests updated
  • Documentation added (or pr:no public docs PR label added if not required)
  • Added the relevant release notes label (see labels prefixed w/ release:). These labels dictate how your PR will
    show up in the autogenerated release notes.

@joeyorlando joeyorlando added pr:no public docs Added to a PR that does not require public documentation updates release:ignore PR will not be added to release notes labels Aug 20, 2024
@joeyorlando joeyorlando requested a review from a team August 20, 2024 16:00
@joeyorlando joeyorlando requested a review from a team August 20, 2024 16:47
joeyorlando
joeyorlando commented Aug 20, 2024
View reviewed changes
.github/workflows/snyk-security-scan.yml Outdated
Comment on lines 26 to 33
- name: snyk monitor
# https://docs.snyk.io/snyk-cli/commands/monitor
run: snyk monitor --all-projects --severity-threshold=high --exclude=dev,tools
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: snyk test
# https://docs.snyk.io/snyk-cli/commands/test
run: snyk test --all-projects --severity-threshold=high --exclude=dev,tools --fail-on=all
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

main change of this PR

joeyorlando
joeyorlando commented Aug 20, 2024
View reviewed changes
grafana-plugin/package.json
Comment on lines -173 to +181
"stylelint": "^13.13.1",
"stylelint": "^14.0.0",
"stylelint-config-standard": "^22.0.0",
"throttle-debounce": "^2.1.0",
"tinycolor2": "^1.6.0",
"tslib": "2.5.3"
},
"resolutions": {
"braces": "3.0.3"
"braces": "3.0.3",
"micromatch": "4.0.6"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

patches https://github.com/grafana/oncall-private/issues/2876 (and appeases the failing synk test 🙂)

matiasb
matiasb approved these changes Aug 20, 2024
View reviewed changes
.github/actions/setup-python/action.yml Outdated
@@ -23,5 +23,5 @@ runs:
if: ${{ inputs.install-dependencies == 'true' }}
shell: bash
run: |
pip install uv setuptools
pip install uv==0.2.37 setuptools==73.0.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious, why we need to pin here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch. I'll revert this, was just testing a few things.

snyk was complaining about a CVE in setuptools=68.0.0. I'm not able to reproduce our environment installing this version though (engine/requirements.txt pins 73.0.0 and this GitHub Action, + our Dockerfile, also install 73.0.0 without the pin).. soo I permanently ignored this warning in snyk for now.

@joeyorlando joeyorlando merged commit 081c6bd into dev Aug 20, 2024
24 checks passed
@joeyorlando joeyorlando deleted the jorlando/fix-snyk-ci-security-scan branch August 20, 2024 19:06
brojd pushed a commit that referenced this pull request Sep 18, 2024
@joeyorlando
fix synk security scan on CI (#4875)
f0540fd 
# Which issue(s) this PR closes

Closes #4503
Closes grafana/oncall-private#2876

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
    show up in the autogenerated release notes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matiasb matiasb matiasb approved these changes

Assignees
No one assigned
Labels
pr:no public docs Added to a PR that does not require public documentation updates release:ignore PR will not be added to release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix Snyk security scan CI workflow
2 participants
@joeyorlando @matiasb