From 2538ce3e3a1c5f9790cce41fbb905738b9bec70c Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 30 Jun 2026 03:50:25 +0000 Subject: [PATCH] Clean up CI: remove Bandit, expand PSScriptAnalyzer rules, delete junk file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove bandit.yml: Bandit is a Python security linter but this repo contains no Python code. The workflow ran with exit_zero: true anyway, so it never blocked anything — just CI noise. - Expand PSScriptAnalyzer rule set from 2 rules to 8, adding: PSAvoidUsingComputerNameHardcoded, PSUseDeclaredVarsMoreThanAssignments, PSAvoidUsingCmdletAliases, PSUseShouldProcessForStateChangingFunctions, PSAvoidUsingPositionalParameters, PSUseOutputTypeCorrectly. - Fix PSScriptAnalyzer path from '.\\' (Windows) to '.' for the ubuntu-latest runner. - Remove orphaned .github/-.txt (empty artifact from workflow setup). Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01DDj3zuCAvrsZcQKsPpPHvA --- .github/-.txt | 1 - .github/workflows/bandit.yml | 52 -------------------------------- .github/workflows/powershell.yml | 7 ++--- 3 files changed, 2 insertions(+), 58 deletions(-) delete mode 100644 .github/-.txt delete mode 100644 .github/workflows/bandit.yml diff --git a/.github/-.txt b/.github/-.txt deleted file mode 100644 index 8b13789..0000000 --- a/.github/-.txt +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml deleted file mode 100644 index 95b1471..0000000 --- a/.github/workflows/bandit.yml +++ /dev/null @@ -1,52 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# Bandit is a security linter designed to find common security issues in Python code. -# This action will run Bandit on your codebase. -# The results of the scan will be found under the Security tab of your repository. - -# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname -# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA - -name: Bandit -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '39 20 * * 2' - -jobs: - bandit: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Bandit Scan - uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd - with: # optional arguments - # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT - # Github token of the repository (automatically created by Github) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. - # File or directory to run bandit on - # path: # optional, default is . - # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # level: # optional, default is UNDEFINED - # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # confidence: # optional, default is UNDEFINED - # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - # excluded_paths: # optional, default is DEFAULT - # comma-separated list of test IDs to skip - # skips: # optional, default is DEFAULT - # path to a .bandit file that supplies command line arguments - # ini_path: # optional, default is DEFAULT - diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index 87eb186..a7fb286 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -34,12 +34,9 @@ jobs: - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: - # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. - # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. - path: .\ + path: . recurse: true - # Include your own basic security rules. Removing this option will run all the rules - includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText", "PSAvoidUsingComputerNameHardcoded", "PSUseDeclaredVarsMoreThanAssignments", "PSAvoidUsingCmdletAliases", "PSUseShouldProcessForStateChangingFunctions", "PSAvoidUsingPositionalParameters", "PSUseOutputTypeCorrectly"' output: results.sarif # Upload the SARIF file generated in the previous step