Skip to content

Workflow updates #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sk-keeper wants to merge 43 commits into from
Closed

Workflow updates #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
b302448
record_type_add command added
adeshmukh-ks May 22, 2025
cf7532f
PR review changes, fido upgrade change, login error eddress
adeshmukh-ks May 27, 2025
83c781c
Added logger
adeshmukh-ks May 28, 2025
093cd1c
record_type_edit and record_type_delete functions added
adeshmukh-ks May 29, 2025
d1eaa2b
record_type_info and load_record_types functions added (#12)
adeshmukh-ks Jun 10, 2025
39738e6
download-record-types command added
adeshmukh-ks Jun 10, 2025
e570e17
secrets-manager-app list and get functions and commands
adeshmukh-ks Jun 18, 2025
231a707
Corrected imports
adeshmukh-ks Jun 19, 2025
4db4ccb
secrets-manager-app create and remove commands
adeshmukh-ks Jun 23, 2025
67c0a0d
download-record-types bug fix
adeshmukh-ks Jun 23, 2025
1992530
Yubikey login method bug fix
adeshmukh-ks Jun 25, 2025
672a8f1
Bug fix in delete-attachment command and added rm command
adeshmukh-ks Jun 27, 2025
33a1d5f
Secrets Manager App Share-Unshare, Share Record and Share Folder comm…
adeshmukh-ks Jul 16, 2025
5f4a904
Secrets manager client add and remove commands
adeshmukh-ks Jul 22, 2025
b582d82
Added secrets-manager-share add and remove commands
adeshmukh-ks Jul 25, 2025
7956b87
Added get command and self-destruct feature
adeshmukh-ks Aug 1, 2025
513a02d
Used enumerate_fields
adeshmukh-ks Aug 4, 2025
41a6a08
Added uid flags
adeshmukh-ks Aug 4, 2025
1fb50aa
One-time-share commands
adeshmukh-ks Aug 8, 2025
d97337b
breachwatch scan command
adeshmukh-ks Aug 14, 2025
4c7477d
Python SDK Command examples
sdubey-ks Aug 14, 2025
d0ad7a7
Protobuff file updates
adeshmukh-ks Aug 20, 2025
0c14177
Python SDK command examples
sdubey-ks Aug 22, 2025
e13c656
Bug Fixes
adeshmukh-ks Aug 22, 2025
efa1445
Breachwatch password and search record commands
adeshmukh-ks Aug 29, 2025
2b44c49
Biometric Commands and Authentication Implemented
adeshmukh-ks Sep 4, 2025
628120d
Password-report command and bug fixes
adeshmukh-ks Sep 12, 2025
e211e98
Added examples for enterprise and record attachment commands
adeshmukh-ks Sep 12, 2025
9ef4a94
Trash commands added and bugs fixed
adeshmukh-ks Sep 19, 2025
796a02c
Team handling bug in get command
adeshmukh-ks Sep 19, 2025
1f35210
Clipboard Copy and Record History commands added
adeshmukh-ks Sep 26, 2025
fef509a
Audit log command added
adeshmukh-ks Oct 8, 2025
539d3af
Read me update
adeshmukh-ks Oct 10, 2025
4f1035b
Transform folder command added
adeshmukh-ks Oct 10, 2025
1e17432
Readme update in detail
adeshmukh-ks Oct 16, 2025
4e5be7c
Examples added
adeshmukh-ks Oct 16, 2025
c2b54b5
Create user command added
adeshmukh-ks Oct 20, 2025
ab037d8
Find duplicate command added
adeshmukh-ks Oct 27, 2025
48662cc
Transfer user command added
ukumar-ks Oct 27, 2025
d7917ea
Record permission command added
adeshmukh-ks Oct 28, 2025
f514c47
Added examples of user and record related command
ukumar-ks Oct 30, 2025
41cdce1
Device approve command added
adeshmukh-ks Oct 31, 2025
630250c
Github publish workflow
sk-keeper Nov 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
schedule:
- cron: '32 11 * * 1'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
contents: read

strategy:
fail-fast: false
matrix:
language: [ 'python' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
# Learn more:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed

steps:
- name: Checkout repository
uses: actions/checkout@v2

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl

# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language

#- run: |
# make bootstrap
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
50 changes: 21 additions & 29 deletions .github/workflows/publish-to-pypi.yml → .github/workflows/publish-cli-to-pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,79 +1,71 @@
name: Publish Commander to PyPi
name: Publish CLI to PyPi

on:
workflow_dispatch:
inputs:
version:
description: Version to release (Tag from Keeper-Security/keeper-sdk-pyton)
description: Version to release (Tag from Keeper-Security/keeper-sdk-python)
required: true

jobs:
build-n-publish:
name: Build and publish Keeper SDK for Python 📦 to PyPI
name: Build and publish Keeper CLI for Python to TestPyPI
runs-on: ubuntu-latest
timeout-minutes: 25 # To keep builds from running too long

permissions:
contents: read

steps:
- name: Checkout source code
uses: actions/checkout@v2

- name: Set up Python 3.10
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: '3.10'
python-version: '3.11'
architecture: 'x64'

- name: Build the package
run: |
python -m pip install -U setuptools pip build wheel twine
python -m build --wheel
python -m build --wheel keepercli-package

- name: Archive the package
uses: actions/upload-artifact@v3
with:
name: KeeperSdkWheel
name: KeeperCLIWheel
retention-days: 1
path: dist/*
path: keepercli-package/dist/*
if-no-files-found: error

- name: Publish Commander to test PyPi
- name: Publish keepercli to test PyPi
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
run: |
twine upload -r testpypi dist/*

twine upload -r testpypi keepercli-package/dist/*

publish-pypi:
name: Publish Keeper SDK to PyPi
name: Publish Keeper CLI to PyPi
runs-on: ubuntu-latest
needs: [build-n-publish]
environment: prod

steps:
- uses: actions/download-artifact@v3
with:
name: CommanderWheel
path: dist
name: KeeperCLIWheel
path: keepercli-package/dist

- name: Set up Python 3.10
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: '3.10'
architecture: 'x64'

- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }}
secrets: |
gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD
python-version: '3.11'

- name: Publish to PyPi
- name: Publish keepercli to PyPi
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }}
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }}
run: |
python -m pip install -U setuptools pip wheel twine
twine upload dist/*
twine upload -r pypi keepercli-package/dist/*
Comment on lines +49 to +71

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

To resolve the issue, add a permissions block to the publish-pypi job. This should grant only the minimal needed permission. In this case, there is no obvious use of the GITHUB_TOKEN for write access within the publish-pypi job—there is no usage of actions that modify repository contents, releases, issues, etc. Therefore, contents: read is sufficient and aligns with least privilege. The change is to insert the following at the same indentation as other job keys under publish-pypi:

permissions:
  contents: read

No other code or configuration changes are necessary. No imports or external dependencies are required.

Suggested changeset 1
.github/workflows/publish-cli-to-pypi.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-cli-to-pypi.yml b/.github/workflows/publish-cli-to-pypi.yml
--- a/.github/workflows/publish-cli-to-pypi.yml
+++ b/.github/workflows/publish-cli-to-pypi.yml
@@ -47,6 +47,8 @@
 
   publish-pypi:
     name: Publish Keeper CLI to PyPi
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: [build-n-publish]
     environment: prod
EOF
@@ -47,6 +47,8 @@

publish-pypi:
name: Publish Keeper CLI to PyPi
permissions:
contents: read
runs-on: ubuntu-latest
needs: [build-n-publish]
environment: prod
Copilot is powered by AI and may make mistakes. Always verify output.
84 changes: 51 additions & 33 deletions .github/workflows/publish-sdk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,72 +1,90 @@
name: Publish Keeper SDK to PyPi
name: Publish Keeper SDK to PyPI

on: [workflow_dispatch]

jobs:
build-wheel:
name: Build and publish Keeper SDK for Python 📦 to PyPI
build-and-test:
name: Build and test Keeper SDK package
runs-on: ubuntu-latest
timeout-minutes: 25 # To keep builds from running too long
timeout-minutes: 25
permissions:
contents: read

steps:
- name: Checkout source code
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: Set up Python 3.11
uses: actions/setup-python@v4
- name: Set up Python 3.13
uses: actions/setup-python@v5
with:
python-version: '3.11'
python-version: '3.13'

- name: Install dependencies
run: |
pip install keepersdk-package/

- name: Run unit tests
run: python -m unittest discover -s keepersdk-package/unit_tests/

- name: Build the package
run: |
python3 -m pip install -U setuptools build wheel twine
python3 -m pip install -U build wheel twine
python3 -m build --wheel keepersdk-package

- name: Archive the package
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: KeeperSdkWheel
retention-days: 1
path: keepersdk-package/dist/*
if-no-files-found: error

- name: Publish Commander to test PyPi
publish-test-pypi:
name: Publish to Test PyPI
runs-on: ubuntu-latest
needs: [build-and-test]
environment: test

steps:
- uses: actions/download-artifact@v4
with:
name: KeeperSdkWheel
path: keepersdk-package/dist

- name: Set up Python 3.13
uses: actions/setup-python@v5
with:
python-version: '3.13'

- name: Publish to Test PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
run: |
twine upload -r testpypi dist/*

python -m pip install -U twine
twine upload --repository testpypi keepersdk-package/dist/*

publish-pypi:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Publish Keeper SDK to PyPi
name: Publish to Production PyPI
runs-on: ubuntu-latest
needs: [build-wheel]
needs: [publish-test-pypi]
environment: prod

steps:
- uses: actions/download-artifact@v3
- uses: actions/download-artifact@v4
with:
name: CommanderWheel
path: dist

- name: Set up Python 3.10
uses: actions/setup-python@v4
with:
python-version: '3.11'
name: KeeperSdkWheel
path: keepersdk-package/dist

- name: Retrieve secrets from Keeper
id: ksecrets
uses: Keeper-Security/ksm-action@master
- name: Set up Python 3.13
uses: actions/setup-python@v5
with:
keeper-secret-config: ${{ secrets.KSM_COMMANDER_SECRET_CONFIG }}
secrets: |
gD5LOOhI5QbnSFk8mIg3gg/field/password > PYPI_PASSWORD
python-version: '3.13'

- name: Publish to PyPi
- name: Publish to PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ steps.ksecrets.outputs.PYPI_PASSWORD }}
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLISH_TOKEN }}
run: |
python -m pip install -U setuptools pip wheel twine
twine upload dist/*
python -m pip install -U twine
twine upload keepersdk-package/dist/*
Comment on lines +68 to +90

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

To fix this problem, add a permissions block to the publish-pypi job to explicitly restrict GITHUB_TOKEN permissions. The minimal secure baseline is permissions: contents: read, as this allows the job to read repository contents if needed, but not to perform any write actions. This change should be made inside the publish-pypi job definition, after its runs-on, needs, and environment fields (as is seen in the build-and-test job above). No imports, new dependencies, or further modifications are required in this YAML workflow.

Suggested changeset 1
.github/workflows/publish-sdk.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-sdk.yml b/.github/workflows/publish-sdk.yml
--- a/.github/workflows/publish-sdk.yml
+++ b/.github/workflows/publish-sdk.yml
@@ -69,6 +69,8 @@
     runs-on: ubuntu-latest
     needs: [publish-test-pypi]
     environment: prod
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/download-artifact@v4
EOF
@@ -69,6 +69,8 @@
runs-on: ubuntu-latest
needs: [publish-test-pypi]
environment: prod
permissions:
contents: read

steps:
- uses: actions/download-artifact@v4
Copilot is powered by AI and may make mistakes. Always verify output.
17 changes: 9 additions & 8 deletions .github/workflows/test-with-pytest.yml → .github/workflows/run-unit-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,36 @@
name: Test with pytest
name: Test with unittest

on:
pull_request:
branches:
- masterlet'
- master
workflow_dispatch:

env:
PYTHONUNBUFFERED: 1

jobs:
test-with-pytest:
test-with-unittest:
strategy:
matrix:
python-version: ['3.8', '3.14']

runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout branch
uses: actions/checkout@v4

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}

- name: Install package with test dependencies
- name: Install package
run: |
cd keepersdk-package
pip install .[test]
pip install -e keepersdk-package/

- name: Run unit tests
run: pytest keepersdk-package/unit_tests/
run: python -m unittest discover -s keepersdk-package/unit_tests/
Loading
Loading