ci/security/test: automated audit fixes for FirstradePlatform#186
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 105596bfec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| readme = "README.md" | ||
| requires-python = ">=3.11" | ||
| license = { text = "MIT" } | ||
| license = "MIT" |
There was a problem hiding this comment.
Require setuptools 77 for SPDX license metadata
With this change, builds now depend on PEP 639/SPDX-string project.license support, but build-system.requires still allows setuptools>=68. In any build environment or package mirror that resolves setuptools 68–76, the backend can reject this field as requiring the old dict/table form; the PyPA guide lists setuptools 77.0.3 as the version that introduced this support (https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license). Please either raise the build-system lower bound or keep the table syntax until the lower bound is updated.
Useful? React with 👍 / 👎.
| if m: | ||
| violations.append(f"**Hardcoded secret** in `{current}`: `{m.group(0)[:100]}`") | ||
| field = re.sub(r"\s+", "_", m.group("field").strip().lower()) | ||
| violations.append(f"**Hardcoded secret** in `{current}`: `{field}=<redacted>`") |
There was a problem hiding this comment.
Preserve distinct secret hits when redacting values
When a PR adds multiple hardcoded secrets with the same normalized field in the same file, such as two *_API_KEY assignments, this redacted message is identical for each match and the existing dict.fromkeys de-duplication collapses them into one violation. The gate still blocks, but it underreports the number of secrets and can force repeated CI cycles as each hidden occurrence is discovered only after earlier ones are fixed; include a non-secret discriminator such as an occurrence or line number.
Useful? React with 👍 / 👎.
Summary
project.licensetable deprecation warning by switching to SPDX string formProblems found
pip check, Ruff, or build verificationpyproject.tomlused deprecated table syntax forproject.licenseFixes applied
scripts/gate_codex_app_review.pyand keep only normalized field namestests/test_gate_codex_app_review.pyregression coveragepython -m buildto.github/workflows/ci.ymlpip check, Ruff, pytest, and build inCONTRIBUTING.mdpyproject.tomllicense metadata to"MIT"Security impact
Architecture impact
Tests run
.venv-ci/bin/python -m pip check.venv-ci/bin/ruff check --exclude external ..venv-ci/bin/python -m pytest -q tests/test_gate_codex_app_review.py.venv-ci/bin/python -m pytest -qSSL_CERT_FILE=$(.venv-ci/bin/python -c 'import certifi; print(certifi.where())') .venv-ci/bin/python scripts/check_qpk_pin_consistency.py.venv-ci/bin/python -m buildactionlintgit diff --checkFailed or skipped checks with reasons
pip-auditwas not run becausepip_auditis not installed in the local validation environmentDeployment notes
Rollback plan
105596bor revert the PR squash commit if follow-up issues appearManual follow-up checklist