Recovery editor note + refresh CI action pins + scaffold M15 merge (#43,#44,#50) #66
@@ -296,6 +296,11 @@ do them once on purpose now.
|
||||
git log --oneline -3 # you'll see a "Revert ..." commit on top
|
||||
```
|
||||
|
||||
> `git revert` drops you into your text editor with a pre-filled "Revert …" message — save and
|
||||
> close it (in vim, type `:wq` then Enter; in nano, Ctrl-O then Ctrl-X). Or add `--no-edit` to
|
||||
> keep that default message and skip the editor entirely: `git revert -m 1 HEAD --no-edit`. Either
|
||||
> way you end up with the same "Revert …" commit.
|
||||
|
||||
7. Prove you're recovered — and notice nothing was erased:
|
||||
|
||||
```bash
|
||||
|
||||
@@ -119,9 +119,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v7
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
- name: Install tools
|
||||
@@ -371,7 +371,7 @@ CI YAML and the actions it references drift faster than the rest of this durable
|
||||
Re-check at build time:
|
||||
|
||||
- [ ] **Action versions.** Confirm `actions/checkout` and `actions/setup-python` major versions in
|
||||
`ci-starter.yml` are current and not deprecated. Pinned majors (`@v4`, `@v5`) age.
|
||||
`ci-starter.yml` are current and not deprecated. Pinned majors (`@v7`, `@v6`) age.
|
||||
- [ ] **Runner labels.** Confirm `ubuntu-latest` (and any GitLab `image:` tag) still resolves to a
|
||||
supported image; default runner OS versions roll forward.
|
||||
- [ ] **Trigger and config syntax.** Verify the `on:` keys and overall workflow schema against the
|
||||
|
||||
@@ -25,11 +25,11 @@ jobs:
|
||||
steps:
|
||||
# Step 1: get your code onto the runner. Without this the runner is empty.
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v7
|
||||
|
||||
# Step 2: install the language the project needs. Pin a version so CI matches what you run.
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
|
||||
|
||||
@@ -337,10 +337,57 @@ runs on every push and blocks the merge.
|
||||
each non-zero exit. Re-apply your Part B/C fixes (and re-stage), run it once more, and it should
|
||||
pass.
|
||||
|
||||
2. Add a security step to your pipeline that calls it. `lab/ci-security.yml` is a provider-neutral
|
||||
snippet — a job that installs the scanners and runs the script. Slot its steps into the workflow
|
||||
you built in Module 14 (the exact YAML keys follow whatever host that module used; the *shape* —
|
||||
install tools, run the gate, fail on findings — is identical everywhere).
|
||||
2. Merge the security steps into your pipeline. `lab/ci-security.yml` shows the gate as a
|
||||
self-contained, provider-neutral job — check out, set up Python, install the scanners, run the
|
||||
script. But the `check` job you built in Module 14 *already* checks out the code and sets up
|
||||
Python, so you don't want a second job duplicating that work. You want its two **new** steps —
|
||||
**install the scanners** and **run the gate** — added to the steps you already have. (Checkout and
|
||||
Python are in the snippet only so it reads as a complete example; skip them when you merge.)
|
||||
|
||||
Here is exactly where they go. **Before** — the tail of your Module 14 `check` job (GitHub Actions
|
||||
flavor, matching `ci-starter.yml`; on GitLab the same two steps drop into the job's `script:`):
|
||||
|
||||
```yaml
|
||||
jobs:
|
||||
check:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v7
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
- name: Install tools
|
||||
run: pip install ruff
|
||||
- name: Lint
|
||||
run: ruff check .
|
||||
- name: Test
|
||||
run: python -m unittest
|
||||
```
|
||||
|
||||
**After** — the same job with the two security steps appended; nothing else changes:
|
||||
|
||||
```diff
|
||||
- name: Lint
|
||||
run: ruff check .
|
||||
- name: Test
|
||||
run: python -m unittest
|
||||
+ - name: Install scanners
|
||||
+ run: pip install pip-audit detect-secrets
|
||||
+ - name: Run the security gate
|
||||
+ run: |
|
||||
+ chmod +x security-scan.sh
|
||||
+ ./security-scan.sh
|
||||
```
|
||||
|
||||
> **YAML is indentation-sensitive — match the existing steps' indentation exactly.** Each new
|
||||
> `- name:` lines up in the *same column* as the steps above it, and the keys under it (`run:`) sit
|
||||
> one level deeper. A step pasted even one space off will silently attach to the wrong block or
|
||||
> fail to parse, and the whole workflow breaks. If you'd rather keep the gate as its own job (some
|
||||
> teams prefer the isolation), copy `ci-security.yml` in whole as a second job under `jobs:` in the
|
||||
> same workflow file instead — that is exactly why it carries its own checkout and Python steps.
|
||||
> The *shape* — install tools, run the gate, fail on findings — is identical everywhere.
|
||||
|
||||
3. Prove the gate has teeth: re-introduce the hardcoded key in `config.py`, commit, and push. Watch
|
||||
the pipeline go **red** on the security step even though lint, build, and tests are still green.
|
||||
@@ -401,6 +448,10 @@ reproducible.
|
||||
> **Expansion-zone module — these facts move fast.** Re-check at build/publish time; don't ship the
|
||||
> claims above from memory.
|
||||
|
||||
- [ ] **Pinned CI action versions.** The `ci-security.yml` snippet (and the Part D before/after diff)
|
||||
pin `actions/checkout` and `actions/setup-python` to major versions (`@v7`/`@v6` at build time).
|
||||
Pinned majors age — confirm they're current and not deprecated against the host's docs, the same
|
||||
check the Module 14 and Module 18 CI/CD checklists carry.
|
||||
- [ ] **Scanner names and install methods.** Confirm `pip-audit`, `detect-secrets`, and `bandit` are
|
||||
still maintained and still install as shown. If any has stalled, swap in a current equivalent
|
||||
from the *same category* and keep the prose category-first, not tool-first.
|
||||
|
||||
@@ -22,12 +22,12 @@ jobs:
|
||||
runs-on: ubuntu-latest # or your self-hosted runner label (Module 19)
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v7
|
||||
# Secret scanning cares about history. If your tool scans commits (not just the working
|
||||
# tree), fetch full history here — e.g. set `with: { fetch-depth: 0 }`.
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.x"
|
||||
|
||||
|
||||
@@ -23,8 +23,8 @@ jobs:
|
||||
check:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-python@v5
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
- run: pip install pytest ruff
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v7
|
||||
|
||||
# Log in to your container registry (Module 16's images need a durable home, like a Git remote
|
||||
# is for commits). Registry/credentials are provider-specific — supply them as secrets,
|
||||
|
||||
@@ -26,10 +26,10 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v7
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
|
||||
|
||||
@@ -37,10 +37,10 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v7
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: "3.12"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user