hubcio commented on code in PR #3257:
URL: https://github.com/apache/iggy/pull/3257#discussion_r3241334451
##########
.pre-commit-config.yaml:
##########
@@ -87,6 +87,20 @@ repos:
files: ^(foreign|bdd|examples)/python/(pyproject\.toml|uv\.lock)$
pass_filenames: false
+ - id: uv-audit
Review Comment:
`uv-audit` is added as a pre-commit hook only. iggy ci does not run
pre-commit - `.github/workflows/_common.yml` mirrors every gating hook as an
explicit job. without a matching job in `_common.yml`, `uv audit` never runs on
prs. it only fires on a contributor machine that has pre-commit installed and
touches a matching `pyproject.toml`/`uv.lock`. that's the opposite of the
threat model in #3246 - a malicious or careless dependency bump arriving in a
pr stays unguarded. if the audit is meant to gate prs, add it as a job in
`_common.yml`.
##########
.github/actions/python-maturin/pre-merge/action.yml:
##########
@@ -83,6 +83,10 @@ runs:
echo "Running mypy on SDK..."
uv run mypy --explicit-package-bases "$DIR_SDK"
echo "mypy version: $(uv run mypy --version)"
+
+ echo "Running pyrefly on SDK..."
+ uv run pyrefly check
Review Comment:
pyrefly gets wired into ci here, but `uv audit` - the actual ask in #3246 -
gets no ci entry anywhere. so the unrequested scope-creep check is enforced on
prs while the security check it was paired with is not. either both belong in
ci, or split this pr: the cooldown is what the issue asked for, pyrefly + audit
tooling is separate scope and separate review.
##########
foreign/python/pyproject.toml:
##########
@@ -78,6 +78,10 @@ include = [
] },
]
+[tool.uv]
+exclude-newer = "7 days"
+exclude-newer-package = { urllib3 = false, pyrefly = false }
Review Comment:
`exclude-newer-package = { urllib3 = false, pyrefly = false }` opts these
two packages out of the 7-day cooldown. pyrefly has a reason - 1.0.0 was
uploaded 2026-05-12, two days before this pr, so the cooldown would block the
version being added. urllib3 has none - it isn't otherwise touched by this pr,
and it's one of the highest-value supply-chain targets in the python ecosystem.
exempting it from the freshness window, in a pr whose stated purpose is
supply-chain hardening, defeats the protection for exactly the package an
attacker would most want to push a fresh malicious release of. drop the urllib3
entry. same exemption is mirrored in `foreign/python/uv.lock` under
`[options.exclude-newer-package]`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
