Skip to content

Security fixes #504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Sep 2, 2025
Merged

Security fixes #504

merged 14 commits into from
Sep 2, 2025

Conversation

@Zeitsperre
Copy link
Collaborator

@Zeitsperre Zeitsperre commented Sep 2, 2025

Overview

This PR adds a few security recommendations. The SBOM and provenance adjustment is for testing purposes as the GitHub Workflow doesn't currently push to DockerHub, but once we no longer have Docker autobuild services, we may be using this for production.

Changes:

  • Updated setuptools to address a CWE issue
  • Restricted the allowed connections in PyPI and TestPyPI workflows
  • Added the nodefaults source in conda configurations
  • Specified a nonroot user for running the Docker service

Related Issue / Discussion

Docker Teams Pro subscription is ending in a few weeks. Birdhouse docker images will need to migrate to using the push option in docker/build-push-action very soon.

@Zeitsperre Zeitsperre self-assigned this Sep 2, 2025
@github-actions github-actions bot added the CI Continuous Integration label Sep 2, 2025
tlogan2000
tlogan2000 approved these changes Sep 2, 2025
View reviewed changes
Copy link
Collaborator

@tlogan2000 tlogan2000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM assuming you can fix the docker build failure

tlvu
tlvu approved these changes Sep 2, 2025
View reviewed changes
Copy link
Collaborator

@tlvu tlvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please take a look at my comments.

@tlvu
Copy link
Collaborator

tlvu commented Sep 2, 2025

Just to speed up this PR, as long as the github build works, you can merge this PR. If write permission error when added to PAVICS stack, we can fix in a separate PR.

@Zeitsperre Zeitsperre merged commit 7316f59 into main Sep 2, 2025
11 checks passed
@Zeitsperre Zeitsperre deleted the security-fixes branch September 2, 2025 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tlvu tlvu tlvu approved these changes

@tlogan2000 tlogan2000 tlogan2000 approved these changes

Assignees

@Zeitsperre Zeitsperre

Labels

CI Continuous Integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Zeitsperre @tlvu @tlogan2000