bitwarden_workflow_linter 0.14.4__tar.gz → 0.15.0__tar.gz

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/.github/workflows/bwwl_operations.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Set up Python 3.12
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: "3.13"
+          python-version: "3.12"
 
       - name: Install bwwl binary
         run: python -m pip install --upgrade bitwarden_workflow_linter

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 0.14.4
+Version: 0.15.0
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/src/bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "0.14.4"
+__version__ = "0.15.0"

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/src/bitwarden_workflow_linter/default_actions.json

@@ -209,6 +209,11 @@
     "sha": "a9ffb7d5ac46eca1bb1f06656bf888b39462f161",
     "version": "v2.4.0"
   },
+  "databricks/setup-cli": {
+    "name": "databricks/setup-cli",
+    "sha": "e36d8a56a09740e5a9e4ed5aeaf6fc3a2eb2e148",
+    "version": "v0.252.0"
+  },
   "dawidd6/action-download-artifact": {
     "name": "dawidd6/action-download-artifact",
     "sha": "80620a5d27ce0ae443b965134db88467fc607b43",

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/src/bitwarden_workflow_linter/models/job.py

@@ -32,6 +32,7 @@ class Job:
         metadata=config(field_name="with"), default=None
     )
     outputs: Optional[CommentedMap] = None
+    permissions: Optional[object] = None  # This can be a CommentedMap or a string
 
     @classmethod
     def parse_needs(cls: Self, value):
@@ -50,6 +51,7 @@ class Job:
             "env": data["env"] if "env" in data else None,
             "needs": Job.parse_needs(data["needs"]) if "needs" in data else None,
             "outputs": data["outputs"] if "outputs" in data else None,
+            "permissions": data["permissions"] if "permissions" in data else None,
         }
 
         new_job = cls.from_dict(init_data)

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/src/bitwarden_workflow_linter/rules/permissions_exist.py

@@ -3,6 +3,7 @@
 from typing import Optional, Tuple
 
 from ..models.workflow import Workflow
+from ..models.job import Job
 from ..rule import Rule
 from ..utils import LintLevels, Settings
 
@@ -26,18 +27,24 @@ class RulePermissionsExist(Rule):
         lint_level: Optional[LintLevels] = LintLevels.NONE,
     ) -> None:
         self.message = (
-            "A top-level permissions section must be configured in the workflow."
+            "All workflows must specify permissions on either workflow or job level"
         )
         self.on_fail = lint_level
         self.compatibility = [Workflow]
         self.settings = settings
 
-    def permissions_exist(self, obj: Workflow) -> bool:
-        if obj.permissions is None:
+    def permissions_exist_on_workflow(self, workflow: Workflow) -> bool:
+        if workflow.permissions is None:
             return False
         return True
 
+    def permissions_exist_on_jobs(self, jobs: list[Job]) -> bool:
+        for job in jobs:
+            if job.permissions is None:
+                return False
+        return True
+
     def fn(self, obj: Workflow) -> Tuple[bool, str]:
-        if not self.permissions_exist(obj):
+        if not self.permissions_exist_on_workflow(obj) and not self.permissions_exist_on_jobs(obj.jobs.values()):
             return False, f"{self.message}"
         return True, ""

{bitwarden_workflow_linter-0.14.4 → bitwarden_workflow_linter-0.15.0}/tests/rules/test_permissions_exist.py

@@ -56,6 +56,25 @@ jobs:
     return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
 
 
+@pytest.fixture(name="correct_workflow_scoped_permissions_on_job")
+def fixture_correct_workflow_scoped_permissions_on_job():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+
+jobs:
+  job-key:
+    runs-on: ubuntu-latest
+    permissions:
+        contents: read
+        packages: read
+    steps:
+      - run: echo test
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+
+
 @pytest.fixture(name="incorrect_workflow_missing_permissions")
 def fixture_incorrect_workflow_missing_permissions():
     workflow = """\
@@ -72,6 +91,28 @@ jobs:
     return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
 
 
+@pytest.fixture(name="incorrect_workflow_missing_permissions_partial")
+def fixture_incorrect_workflow_missing_permissions_partial():
+    workflow = """\
+---
+on:
+  workflow_dispatch:
+
+jobs:
+  job-key:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+
+  job-key2:
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - run: echo test2
+"""
+    return WorkflowBuilder.build(workflow=yaml.load(workflow), from_file=False)
+
+
 @pytest.fixture(name="rule")
 def fixture_rule():
     return RulePermissionsExist()
@@ -89,8 +130,21 @@ def test_rule_on_correct_workflow_scoped_permissions(
     assert result is True
 
 
+def test_rule_on_correct_workflow_scoped_permissions_on_job(
+    rule, correct_workflow_scoped_permissions_on_job
+):
+    result, _ = rule.fn(correct_workflow_scoped_permissions_on_job)
+    assert result is True
+
+
 def test_rule_on_incorrect_workflow_missing_permissions(
     rule, incorrect_workflow_missing_permissions
 ):
     result, _ = rule.fn(incorrect_workflow_missing_permissions)
     assert result is False
+
+def test_rule_on_incorrect_workflow_missing_permissions_partial(
+    rule, incorrect_workflow_missing_permissions_partial
+):
+    result, _ = rule.fn(incorrect_workflow_missing_permissions_partial)
+    assert result is False