ci/security/test: automated audit fixes for QuantPlatformKit#164
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 52e3a2c89c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Create a classic PAT at https://github.com/settings/tokens with `public_repo` | ||
| # scope, then add it as org secret `QSL_AUTOMATION_PAT`. | ||
| token: ${{ secrets.QSL_AUTOMATION_PAT || secrets.GITHUB_TOKEN }} | ||
| token: ${{ github.token }} |
There was a problem hiding this comment.
Use a token that can trigger PR checks
For the generated auto/qpk-pin-update PRs, ${{ github.token }} is the repository GITHUB_TOKEN; the create-pull-request action docs note that PRs created with the default token do not trigger on: pull_request or on: push workflows. I checked this repo's PR validation workflows (.github/workflows/ci.yml and .github/workflows/codex_review_gate.yml) and they are pull_request-triggered, so these automated pin PRs will be opened without the normal CI/gate checks unless someone manually retriggers them. Use a policy-approved PAT/GitHub App token or add an explicit follow-up trigger for validation.
Useful? React with 👍 / 👎.
|
|
||
|
|
||
| _REDACTED = "<redacted>" | ||
| _TELEGRAM_BOT_PATH_RE = re.compile(r"(?i)(/bot)([^/\s]+)") |
There was a problem hiding this comment.
Redact webhook path keys before logging errors
This helper only masks Telegram-style /bot... path credentials and query-string secrets, but supported webhook providers also put credentials in URL paths (Feishu uses .../hook/KEY and ServerChan uses SENDKEY.send). When the webhook error path logs an opener/proxy exception that includes the full request URL, those provider keys remain unredacted, so the new log redaction still leaks secrets for two supported webhook formats. Add provider path patterns or parse URLs and mask sensitive path segments before logging.
Useful? React with 👍 / 👎.
Summary
update-qpk-pindownstream dry-run verification to fail the job when any dependency check fails.update-qpk-pinPR creation and usegithub.tokeninstead.setuptools>=77to avoid upcoming setuptools build deprecation.Problems found
scripts/gate_codex_app_review.pydetected hardcoded secrets but included the matched sensitive assignment snippet in CI logs.update-qpk-pin.ymlprinted downstream install failures but still ended with success.update-qpk-pin.ymlpreferred a PAT fallback described as bypassing a ruleset.uv buildemitted a future setuptools deprecation warning forproject.licensetable metadata.Fixes applied
quant_platform_kit.notifications._redaction.redact_sensitive_textand applied it to notification senders and strategy plugin delivery error paths.exit 1when any check fails.peter-evans/create-pull-requesttoken to${{ github.token }}.license = "MIT"andsetuptools>=77.Security impact
Architecture impact
Tests run
uv venv .venv --python 3.11uv pip install --python .venv/bin/python -e . numpy pandas pytest pytest-cov ruffuv pip check --python .venv/bin/python— passed.venv/bin/ruff check .— passedPYTHONPATH=src:. .venv/bin/python -m pytest -q tests/test_notification_redaction.py tests/test_telegram.py tests/test_strategy_plugin_telegram_notifications.py tests/test_strategy_plugin_push_notifications.py tests/test_strategy_plugin_sms_notifications.py tests/test_strategy_plugin_email_notifications.py tests/test_strategy_plugin_alert_dispatcher.py tests/test_notification_events.py— 45 passedPYTHONPATH=src .venv/bin/python -m pytest -q --cov --cov-report=term --cov-report=xml tests— 444 passed, 1 skipped, coverage 60%PYTHONPATH=src .venv/bin/python -m unittest discover -s tests -v— 405 passed, 1 skippedactionlint— passeduv build— passeduvx pip-audit --path .venv— no known vulnerabilities foundgit diff --check— passedFailed or skipped checks with reasons
.venv/bin/ruff format --check .reports existing all-repo formatting drift: 155 files would be reformatted. This repository CI does not currently enforce ruff format; this PR intentionally avoids a large unrelated formatting-only diff.update-qpk-pinwere not run outside the workflow because they depend on generated constraint updates onmain.Deployment notes
Rollback plan
52e3a2cto restore previous logging, gate, workflow, and packaging metadata behavior.Manual follow-up checklist
gateandtestpass on this PR.update-qpk-pincan no longer create PRs withgithub.token, adjust repository rules through an explicit, reviewed policy change rather than PAT bypass.