Merge pull request #114 from ASFHyP3/develop

Release v0.11.0
ASFHyP3 · Jan 16, 2024 · a840760 · a840760
2 parents 5addd36 + 1020c90
commit a840760
Show file tree

Hide file tree

Showing 10 changed files with 38 additions and 39 deletions.
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -11,6 +11,6 @@ on:
       - develop
 jobs:
   call-changelog-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.10.0
     secrets:
       USER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/create-jira-issue.yml b/.github/workflows/create-jira-issue.yml
@@ -6,7 +6,7 @@ on:
 
 jobs:
   call-create-jira-issue-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.10.0
     secrets:
       JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
       JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}

diff --git a/.github/workflows/labeled-pr.yml b/.github/workflows/labeled-pr.yml
@@ -12,4 +12,4 @@ on:
 
 jobs:
   call-labeled-pr-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.10.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   call-release-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.10.0
     with:
       release_prefix: Actions
     secrets:

diff --git a/.github/workflows/reusable-secrets-analysis.yml b/.github/workflows/reusable-secrets-analysis.yml
@@ -9,18 +9,8 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@v5
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@v3.63.8
         with:
-          python-version: 3.x
-
-      - name: Pip install trufflehog
-        shell: bash
-        run: |
-          python -m pip install trufflehog
-
-      - name: Scan for secrets with trufflehog
-        shell: bash
-        run: |
-          export LAST_TAG_HASH=$(git rev-list -1 $(git describe --abbrev=0))
-          trufflehog --regex --entropy True --since_commit "${LAST_TAG_HASH}" \
-              --exclude_paths .trufflehog.txt file://"${PWD}"
+          base: main
+          extra_args: --only-verified
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -4,4 +4,4 @@ on: push
 
 jobs:
   call-secrets-analysis-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.10.0
diff --git a/.github/workflows/tag-version.yml b/.github/workflows/tag-version.yml
@@ -7,6 +7,6 @@ on:
 
 jobs:
   call-bump-version-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.10.0
     secrets:
       USER_TOKEN: ${{ secrets.TOOLS_BOT_PAK }}
diff --git a/.github/workflows/update-examples.yml b/.github/workflows/update-examples.yml
@@ -13,7 +13,7 @@ on:
 
 jobs:
   call-git-object-name-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.10.0
 
   upate_actions_examples:
     needs: call-git-object-name-workflow
@@ -29,9 +29,9 @@ jobs:
            OBJECT_VERSION: ${{ needs.call-git-object-name-workflow.outputs.name }}
         run: |
           if [[ -z "${INPUT_VERSION}" ]]; then
-            echo "ACTIONS_VERSION=${OBJECT_VERSION}" >> $GITHUB_ENV
+            echo "ACTIONS_VERSION=${OBJECT_VERSION%%-*}" >> $GITHUB_ENV
           else
-            echo "ACTIONS_VERSION=${INPUT_VERSION}" >> $GITHUB_ENV
+            echo "ACTIONS_VERSION=${INPUT_VERSION%%-*}" >> $GITHUB_ENV
           fi
 
       - name: Create update branch

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [PEP 440](https://www.python.org/dev/peps/pep-0440/) 
 and uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.11.0]
+
+### Fixed
+- [`update-examples`](.github/workflows/update-examples.yml) workflow will now strip distance and hash (longest `-*` match) from the input or calculated version numbers.
+- [`reusable-secrets-analysis.yml`](.github/workflows/reusable-secrets-analysis.yml) now uses the Trufflehog Github Action to scan for only verified secrets, which should reduce or eliminate false positives.
+
+### Removed
+- [`reusable-secrets-analysis.yml`](.github/workflows/reusable-secrets-analysis.yml) no longer recognizes `.trufflehog.txt`, which was previously used to specify exclude paths.
+
 ## [0.10.0]
 
 ### Added

diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ on:
 
 jobs:
   call-bump-version-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.10.0
     with:
       user: tools-bot                # Optional; default shown
       email: UAF-asf-apd@alaska.edu  # Optional; default shown
@@ -57,7 +57,7 @@ on:
 
 jobs:
   call-changelog-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.10.0
     secrets:
       USER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
@@ -77,7 +77,7 @@ on:
 
 jobs:
   call-create-jira-issue-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.10.0
     secrets:
       JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
       JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@@ -130,13 +130,13 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
     with:
       conda_env_name: hyp3-plugin
 
   call-docker-ecr-workflow:
     needs: call-version-info-workflow
-    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ecr.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ecr.yml@v0.10.0
     with:
       version_tag: ${{ needs.call-version-info-workflow.outputs.version_tag }}
       ecr_registry: 845172464411.dkr.ecr.us-west-2.amazonaws.com
@@ -171,13 +171,13 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
     with:
       conda_env_name: hyp3-plugin
 
   call-docker-ghcr-workflow:
     needs: call-version-info-workflow
-    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ghcr.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ghcr.yml@v0.10.0
     with:
       version_tag: ${{ needs.call-version-info-workflow.outputs.version_tag }}
       user: ${{ github.actor }}
@@ -198,7 +198,7 @@ on: push
 
 jobs:
   call-flake8-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-flake8.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-flake8.yml@v0.10.0
     with:
       local_package_names: hyp3_plugin  # Required; comma-seperated list of names that should be considered local to your application
       excludes: hyp3_plugin/ugly.py     # Optional; comma-separated list of glob patterns to exclude from checks
@@ -217,7 +217,7 @@ on: push
 
 jobs:
   call-ruff-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-ruff.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-ruff.yml@v0.10.0
 ```
 
 to ensure the Python code is styled correctly.
@@ -275,7 +275,7 @@ on:
 
 jobs:
   call-git-object-name-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.10.0
   
   echo-git-object-name-outputs:
     needs: call-git-object-name-workflow
@@ -305,7 +305,7 @@ on:
 
 jobs:
   call-labeled-pr-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.10.0
 ```
 to ensure a release label is included on any PR to `main`.
 
@@ -329,7 +329,7 @@ on:
 
 jobs:
   call-pytest-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-pytest.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-pytest.yml@v0.10.0
     with:
       local_package_name: hyp3_plugin  # Required; package to produce a coverage report for
       fail_fast: false      # Optional; default shown
@@ -358,7 +358,7 @@ on:
 
 jobs:
   call-release-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.10.0
     with:
       release_prefix: HyP3-CI
       release_branch: main      # Optional; default shown
@@ -387,7 +387,7 @@ on:
   
 jobs:
   call-release-checklist-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release-checklist-comment.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release-checklist-comment.yml@v0.10.0
     permissions:
       pull-requests: write
     with:
@@ -416,7 +416,7 @@ on: push
 
 jobs:
   call-secrets-analysis-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.10.0
 ```
 to scan every push for secrets.
 
@@ -442,7 +442,7 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.9.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
     with:
       python_version: '3.9'        # Optional; default shown