Skip to content

Workflow updates #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sk-keeper wants to merge 43 commits into from
Closed

Workflow updates #81

sk-keeper wants to merge 43 commits into from

Conversation

@sk-keeper
Copy link
Collaborator

@sk-keeper sk-keeper commented Nov 1, 2025

No description provided.

adeshmukh-ks and others added 30 commits October 31, 2025 21:47
@adeshmukh-ks @sk-keeper
record_type_add command added
b302448
@adeshmukh-ks @sk-keeper
PR review changes, fido upgrade change, login error eddress
cf7532f
@adeshmukh-ks @sk-keeper
Added logger
83c781c
@adeshmukh-ks @sk-keeper
record_type_edit and record_type_delete functions added
093cd1c
@adeshmukh-ks @sk-keeper
record_type_info and load_record_types functions added (#12)
d1eaa2b 
* record_type_info and load_record_types functions added

* Moved functions to cli commands

* Corrected review changes
@adeshmukh-ks @sk-keeper
download-record-types command added
39738e6
@adeshmukh-ks @sk-keeper
secrets-manager-app list and get functions and commands
e570e17
@adeshmukh-ks @sk-keeper
Corrected imports
231a707
@adeshmukh-ks @sk-keeper
secrets-manager-app create and remove commands
4db4ccb
@adeshmukh-ks @sk-keeper
download-record-types bug fix
67c0a0d
@adeshmukh-ks @sk-keeper
Yubikey login method bug fix
1992530
@adeshmukh-ks @sk-keeper
Bug fix in delete-attachment command and added rm command
672a8f1
@adeshmukh-ks @sk-keeper
Secrets Manager App Share-Unshare, Share Record and Share Folder comm…
33a1d5f 
…ands and YubiKey fix
@adeshmukh-ks @sk-keeper
Secrets manager client add and remove commands
5f4a904
@adeshmukh-ks @sk-keeper
Added secrets-manager-share add and remove commands
b582d82
@adeshmukh-ks @sk-keeper
Added get command and self-destruct feature
7956b87
@adeshmukh-ks @sk-keeper
Used enumerate_fields
513a02d
@adeshmukh-ks @sk-keeper
Added uid flags
41a6a08
@adeshmukh-ks @sk-keeper
One-time-share commands
1fb50aa
@adeshmukh-ks @sk-keeper
breachwatch scan command
d97337b
@sdubey-ks @sk-keeper
Python SDK Command examples
4c7477d
@adeshmukh-ks @sk-keeper
Protobuff file updates
d0ad7a7
@sdubey-ks @sk-keeper
Python SDK command examples
0c14177
@adeshmukh-ks @sk-keeper
Bug Fixes
e13c656
@adeshmukh-ks @sk-keeper
Breachwatch password and search record commands
efa1445
@adeshmukh-ks @sk-keeper
Biometric Commands and Authentication Implemented
2b44c49
@adeshmukh-ks @sk-keeper
Password-report command and bug fixes
628120d
@adeshmukh-ks @sk-keeper
Added examples for enterprise and record attachment commands
e211e98
@adeshmukh-ks @sk-keeper
Trash commands added and bugs fixed
9ef4a94
@adeshmukh-ks @sk-keeper
Team handling bug in get command
796a02c
@socket-security
Copy link

socket-security bot commented Nov 1, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedcbor2@​5.7.1100100100100100
Addedwinrt-runtime@​3.2.1100100100100100
Addedpyobjc-framework-localauthentication@​12.0100100100100100

View full report

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 1, 2025
View reviewed changes
.github/workflows/publish-cli-to-pypi.yml
Comment on lines +47 to +71
name: Publish Keeper CLI to PyPi
runs-on: ubuntu-latest
needs: [build-n-publish]
environment: prod

steps:
- uses: actions/download-artifact@v3
with:
name: CommanderWheel
path: dist
name: KeeperCLIWheel
path: keepercli-package/dist

- name: Set up Python 3.10
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: '3.10'
architecture: 'x64'

- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }}
secrets: |
gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD
python-version: '3.11'

- name: Publish to PyPi
- name: Publish keepercli to PyPi
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }}
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }}
run: |
python -m pip install -U setuptools pip wheel twine
twine upload dist/*
twine upload -r pypi keepercli-package/dist/*

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

To resolve the issue, add a permissions block to the publish-pypi job. This should grant only the minimal needed permission. In this case, there is no obvious use of the GITHUB_TOKEN for write access within the publish-pypi job—there is no usage of actions that modify repository contents, releases, issues, etc. Therefore, contents: read is sufficient and aligns with least privilege. The change is to insert the following at the same indentation as other job keys under publish-pypi:

permissions:
  contents: read

No other code or configuration changes are necessary. No imports or external dependencies are required.

Suggested changeset 1
.github/workflows/publish-cli-to-pypi.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-cli-to-pypi.yml b/.github/workflows/publish-cli-to-pypi.yml
--- a/.github/workflows/publish-cli-to-pypi.yml
+++ b/.github/workflows/publish-cli-to-pypi.yml
@@ -47,6 +47,8 @@
 
   publish-pypi:
     name: Publish Keeper CLI to PyPi
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: [build-n-publish]
     environment: prod
EOF
@@ -47,6 +47,8 @@

publish-pypi:
name: Publish Keeper CLI to PyPi
permissions:
contents: read
runs-on: ubuntu-latest
needs: [build-n-publish]
environment: prod
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/publish-sdk.yml
Comment on lines +66 to +90
name: Publish to Production PyPI
runs-on: ubuntu-latest
needs: [build-wheel]
needs: [publish-test-pypi]
environment: prod

steps:
- uses: actions/download-artifact@v3
- uses: actions/download-artifact@v4
with:
name: CommanderWheel
path: dist

- name: Set up Python 3.10
uses: actions/setup-python@v4
with:
python-version: '3.11'
name: KeeperSdkWheel
path: keepersdk-package/dist

- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
- name: Set up Python 3.13
uses: actions/setup-python@v5
with:
keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }}
secrets: |
gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD
python-version: '3.13'

- name: Publish to PyPi
- name: Publish to PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }}
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }}
run: |
python -m pip install -U setuptools pip wheel twine
twine upload dist/*
python -m pip install -U twine
twine upload keepersdk-package/dist/*

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

To fix this problem, add a permissions block to the publish-pypi job to explicitly restrict GITHUB_TOKEN permissions. The minimal secure baseline is permissions: contents: read, as this allows the job to read repository contents if needed, but not to perform any write actions. This change should be made inside the publish-pypi job definition, after its runs-on, needs, and environment fields (as is seen in the build-and-test job above). No imports, new dependencies, or further modifications are required in this YAML workflow.

Suggested changeset 1
.github/workflows/publish-sdk.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-sdk.yml b/.github/workflows/publish-sdk.yml
--- a/.github/workflows/publish-sdk.yml
+++ b/.github/workflows/publish-sdk.yml
@@ -69,6 +69,8 @@
     runs-on: ubuntu-latest
     needs: [publish-test-pypi]
     environment: prod
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/download-artifact@v4
EOF
@@ -69,6 +69,8 @@
runs-on: ubuntu-latest
needs: [publish-test-pypi]
environment: prod
permissions:
contents: read

steps:
- uses: actions/download-artifact@v4
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 1, 2025
View reviewed changes
@sk-keeper sk-keeper force-pushed the workflow-updates branch 2 times, most recently from f14f2e0 to c475b6d Compare November 1, 2025 06:24
@sk-keeper sk-keeper closed this Nov 1, 2025
@sk-keeper sk-keeper deleted the workflow-updates branch November 1, 2025 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sk-keeper @adeshmukh-ks @sdubey-ks @ukumar-ks