roundup-tracker
diff --git a/‎.github/dependabot.yml
Lines changed: 25 additions & 0 deletions b/‎.github/dependabot.yml
Lines changed: 25 additions & 0 deletions
diff --git a/‎.github/workflows/anchore.yml
Lines changed: 11 additions & 6 deletions b/‎.github/workflows/anchore.yml
Lines changed: 11 additions & 6 deletions
diff --git a/‎.github/workflows/ci-test.yml
Lines changed: 50 additions & 26 deletions b/‎.github/workflows/ci-test.yml
Lines changed: 50 additions & 26 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml
Lines changed: 13 additions & 4 deletions b/‎.github/workflows/codeql-analysis.yml
Lines changed: 13 additions & 4 deletions
diff --git a/‎.github/workflows/ossf-scorecard.yml
Lines changed: 75 additions & 0 deletions b/‎.github/workflows/ossf-scorecard.yml
Lines changed: 75 additions & 0 deletions
diff --git a/‎.hgtags
Lines changed: 1 addition & 0 deletions b/‎.hgtags
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,25 @@
+# To get started with Dependabot version updates, you'll need to
+# specify which
+# package ecosystems to update and where the package manifests are
+# located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "docker" 
+    directory: "/scripts/Docker" 
+    target-branch: "master" 
+    schedule:
+      interval: "weekly"
@@ -29,26 +29,31 @@ concurrency:
 
 jobs:
   Anchore-Build-Scan:
+    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the code
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
     - name: Build the Docker image
-      run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
+      run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
+    - name: List the Docker image
+      run: docker image ls
     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-      uses: anchore/scan-action@v3
+      uses: anchore/scan-action@4be3c24559b430723e51858969965e163b196957 # v3.3.5
       id: scan
       with:
         image: "localbuild/testimage:latest"
-        acs-report-enable: true
-        fail-build: false
+        fail-build: true
     - name: Upload Anchore Scan Report
-      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4
+  # v2.3.6
       with:
         sarif_file: ${{ steps.scan.outputs.sarif }}
     - name: Inspect action SARIF report
+      if: always()
       run: cat ${{ steps.scan.outputs.sarif }}
@@ -1,5 +1,10 @@
 # merged in python-package.yml workflow
 
+# reference docs:
+# https://blog.deepjyoti30.dev/tests-github-python
+# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+# https://github.com/pypa/twine/blob/main/.github/workflows/main.yml
+
 name: roundup-ci
 
 on: 
@@ -28,42 +33,48 @@ jobs:
     name: CI build test
 
     # run the finalizer for coveralls even if one or more
-    # matrix runs fail.
-    continue-on-error: true
+    # experimental matrix runs fail.
+    # continue-on-error: ${{ matrix.experimental }}
 
     #runs-on: ubuntu-latest
     # use below if running on multiple OS's.
     runs-on: ${{ matrix.os }}
 
+    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
+
     strategy:
       fail-fast: false
       max-parallel: 4
       matrix:
         # Run in all these versions of Python
-        python-version: [ "2.7", "3.10", "3.9", "3.8", "3.6", "3.11-dev" ]
+        python-version:
+          - "2.7"
+          - "3.10"
+          # - "3.9"
+          - "3.8"
+          # - "3.7"
+          - "3.11"
 
         # use for multiple os or ubuntu versions
         #os: [ubuntu-latest, macos-latest, windows-latest]
-        os: [ubuntu-latest, ubuntu-22.04]
+        # ubuntu latest 22.04 12/2022
+        os: [ubuntu-latest, ubuntu-20.04]
 
         # if the ones above fail. fail the build
         experimental: [false]
 
         include:
-           # example: if 3.12 fails the jobs still succeeds
-        #   - python-version: 3.12
-        #     experimental: [true]
-           # version 2.7 not available on unbuntu-22.04 github
-        #    - python-version: 2.7
-        #      os: ubuntu-22.04
-        #      experimental: true
-            - python-version: 3.11-dev
+            # example: if 3.12 fails the jobs still succeeds
+            - python-version: 3.12
               os: ubuntu-22.04
               experimental: [true]
+            # 3.6 not available on new 22.04 runners, so run on 20.04 ubuntu
+            - python-version: 3.6
+              os: ubuntu-20.04
 
         exclude:
-            # skip all python versions on 22.04 except explicitly included
-            - os: ubuntu-22.04
+            # skip all python versions on 20.04 except explicitly included
+            - os: ubuntu-20.04
 
     env:
       # get colorized pytest output even without a controlling tty
@@ -79,20 +90,25 @@ jobs:
         # if: {{ false }}
           # continue running if step fails
         # continue-on-error: true
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       # Setup version of Python to use
       - name: Set Up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
           cache: 'pip'
 
+      - name: Install build tools - setuptools
+        run: pip install setuptools
+
       # Display the Python version being used
       - name: Display Python and key module versions
         run: |
           python -c "import sys; print('python version: ', sys.version)"
-          python -c "import sqlite3; print('sqlite3 version, sqlite version: ', sqlite3.version, sqlite3.sqlite_version)"
+          python -c "import sqlite3; print('sqlite version: ', sqlite3.sqlite_version)"
+          python -c "import setuptools; print('setuptools version: ', setuptools.__version__);"
 
       # Install the databases
       - name: Install mysql/mariadb
@@ -114,7 +130,7 @@ jobs:
 
       - name: Install postgres
         run: |
-          sudo apt-get install postgresql
+          sudo apt-get update && sudo apt-get install postgresql
           # Disable fsync for speed, don't care about data durability
           #   when testing
           sudo sed -i -e '$a\fsync = off' /etc/postgresql/*/*/postgresql.conf
@@ -157,7 +173,11 @@ jobs:
           # older python and newest on newer.
           if [[ $PYTHON_VERSION == "2."* ]]; then pip install sphinx==1.8.5; fi
           if [[ $PYTHON_VERSION == '3.'* ]] ; then pip install sphinx; fi
-          XAPIAN_VER=$(dpkg -l libxapian-dev | tail -n 1 | awk '{print $3}' | cut -d '-' -f 1); echo $XAPIAN_VER
+          if [[ $PYTHON_VERSION == '3.12'* ]] ; then \
+              XAPIAN_VER=1.4.22; \
+          else
+              XAPIAN_VER=$(dpkg -l libxapian-dev | tail -n 1 | awk '{print $3}' | cut -d '-' -f 1); echo $XAPIAN_VER; \
+          fi
           cd /tmp
           curl -s -O https://oligarchy.co.uk/xapian/$XAPIAN_VER/xapian-bindings-$XAPIAN_VER.tar.xz
           tar -Jxvf xapian-bindings-$XAPIAN_VER.tar.xz
@@ -169,10 +189,10 @@ jobs:
           # Change distutils.sysconfig... to just sysconfig and SO
           # to EXT_SUFFIX to get valid value.
           if [[ $PYTHON_VERSION == "3."* ]]; then sed -i -e '/PYTHON3_SO=/s/distutils\.//g' -e '/PYTHON3_SO=/s/"SO"/"EXT_SUFFIX"/g' configure; ./configure --prefix=$VIRTUAL_ENV --with-python3 --disable-documentation; fi
-          case "$PYTHON_VERSION" in nightly) echo skipping xapian build;; *) make && sudo make install; esac
+          case "$PYTHON_VERSION" in nightly|3.12*) echo skipping xapian build;; *) make && sudo make install; esac
 
       - name: Install pytest and other packages needed for running tests
-        run: pip install codecov flake8 mock pytest pytest-cov requests
+        run: pip install flake8 mock pytest pytest-cov requests
 
       - name: Test build roundup and install locale so lang tests work.
         run: |
@@ -194,6 +214,7 @@ jobs:
         run: |
           if [[ "$PYTHON_VERSION" != "2."* ]]; then 
             pytest -r a \
+              --durations=20 \
               -W default \
               -W "ignore:SelectableGroups:DeprecationWarning" \
               -W "ignore:the imp module:DeprecationWarning:gpg.gpgme:15" \
@@ -207,20 +228,20 @@ jobs:
             fi
           else
             # python2 case
-            pytest -v -r a test/ --cov=roundup
+            pytest -v -r a --durations=20 test/ --cov=roundup
           fi
 
       - name: Upload coverage to Codecov
         # see: https://github.com/codecov/codecov-action#usage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Upload coverage to Coveralls
         # python 2.7 and 3.6 versions of coverage can't produce lcov files.
         if: matrix.python-version != '2.7' && matrix.python-version != '3.6'
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@f350da2c033043742f89e8c0b7b5145a1616da6d # master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: coverage.lcov
@@ -247,13 +268,16 @@ jobs:
       #         -f scripts/Docker/Dockerfile . 
 
 
-  # in parallel build codecov requires a finish step
+  # in parallel build coveralls requires a finish step
   finish:
     needs: test
     runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
+    
     steps:
       - name: Coveralls Finished
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@f350da2c033043742f89e8c0b7b5145a1616da6d # master
         with:
           github-token: ${{ secrets.github_token }}
           parallel-finished: true
@@ -21,6 +21,9 @@ on:
   schedule:
     - cron: '28 17 * * 1'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -30,6 +33,12 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
 
+    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
+    
+    permissions:
+      contents: read
+      security-events: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -40,11 +49,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v2.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -69,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
@@ -0,0 +1,75 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '25 21 * * 5'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
+
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.1.27
+        with:
+          sarif_file: results.sarif
@@ -141,3 +141,4 @@ c90104abe508e3886917243e4acd069c8ef7a1a4 2.2.0
 0000000000000000000000000000000000000000 2.2.0
 0000000000000000000000000000000000000000 2.2.0
 239d9542b02062c56f88fd1de8b87c4d88d700ad 2.2.0
+51fc06fabcee043db116e2fbdcdcf5e86b67ed3d 2.3.0b2