From 71afe14b2f42833677f9da45342b98436aaffee2 Mon Sep 17 00:00:00 2001 From: Georgy Moiseev Date: Wed, 4 Sep 2024 09:56:07 +0300 Subject: [PATCH 1/5] setup: fix import order --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 4ee0797c..87bcc4c4 100755 --- a/setup.py +++ b/setup.py @@ -7,7 +7,7 @@ import codecs import os -from setuptools import setup, find_packages +from setuptools import find_packages, setup from setuptools.command.build_py import build_py # Extra commands for documentation management From ed717105bf0994dd1a4f4ed0f465640728726014 Mon Sep 17 00:00:00 2001 From: Georgy Moiseev Date: Wed, 4 Sep 2024 09:33:02 +0300 Subject: [PATCH 2/5] ci: fix download artifact vulnerability Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames [1]. 1. https://github.com/tarantool/tarantool-python/security/dependabot/4 --- .github/workflows/packing.yml | 20 ++++++++++---------- .github/workflows/reusable_testing.yml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/packing.yml b/.github/workflows/packing.yml index c2456477..c286abf1 100644 --- a/.github/workflows/packing.yml +++ b/.github/workflows/packing.yml @@ -43,7 +43,7 @@ jobs: run: make pip-dist-check - name: Archive pip artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.4.0 with: name: pip_dist path: pip_dist @@ -84,7 +84,7 @@ jobs: tarantool-version: '2.11' - name: Download pip package artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: pip_dist path: pip_dist @@ -134,7 +134,7 @@ jobs: run: python3 .github/scripts/remove_source_code.py - name: Download pip package artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: pip_dist path: pip_dist @@ -202,7 +202,7 @@ jobs: run: pip3 install twine - name: Download pip package artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: pip_dist path: pip_dist @@ -271,7 +271,7 @@ jobs: run: make rpm-dist-check - name: Archive RPM artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.4.0 with: name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} path: rpm_dist @@ -324,7 +324,7 @@ jobs: dnf install -y tarantool tarantool-devel - name: Download RPM artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} path: rpm_dist @@ -372,7 +372,7 @@ jobs: run: sudo apt install -y curl make - name: Download RPM artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: rpm_dist_${{ matrix.target.os }}_${{ matrix.target.dist }} path: rpm_dist @@ -433,7 +433,7 @@ jobs: run: make deb-dist-check - name: Archive deb artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.4.0 with: name: deb_dist path: deb_dist @@ -490,7 +490,7 @@ jobs: DEBIAN_FRONTEND: noninteractive - name: Download deb artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: deb_dist path: deb_dist @@ -542,7 +542,7 @@ jobs: run: sudo apt install -y curl make - name: Download deb artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4.1.8 with: name: deb_dist path: deb_dist diff --git a/.github/workflows/reusable_testing.yml b/.github/workflows/reusable_testing.yml index 406a7301..aec47845 100644 --- a/.github/workflows/reusable_testing.yml +++ b/.github/workflows/reusable_testing.yml @@ -19,7 +19,7 @@ jobs: repository: ${{ github.repository_owner }}/tarantool-python - name: Download the tarantool build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v4.1.8 with: name: ${{ inputs.artifact_name }} From f1c9302db1cf3906fec37151d5c610c9a776970d Mon Sep 17 00:00:00 2001 From: Georgy Moiseev Date: Wed, 4 Sep 2024 09:43:43 +0300 Subject: [PATCH 3/5] ci: cancel previous runs on PR push After this patch, current PR pipeline runs will be cancelled if new commits/force push triggers new pipelines. --- .github/workflows/packing.yml | 4 ++++ .github/workflows/testing.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/packing.yml b/.github/workflows/packing.yml index c286abf1..c719b31a 100644 --- a/.github/workflows/packing.yml +++ b/.github/workflows/packing.yml @@ -6,6 +6,10 @@ on: pull_request_target: types: [labeled] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: pack_pip: # We want to run on external PRs, but not on our own internal diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 82f299b4..05927f4c 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -6,6 +6,10 @@ on: pull_request_target: types: [labeled] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: run_tests_ce_linux: # We want to run on external PRs, but not on our own internal From abc89389855937552d62fa45a92d029ca0d81f12 Mon Sep 17 00:00:00 2001 From: Georgy Moiseev Date: Wed, 4 Sep 2024 11:08:30 +0300 Subject: [PATCH 4/5] package: drop Python 3.6 support Python 3.6 EOL is 2021-12-23 [1]. Current build script no longer supports Python 3.6 due to `packaging` Python dependency bump. (And fixing the issue is more than just fixating older `packaging` version as a dependency.) https://devguide.python.org/versions/ --- .github/workflows/testing.yml | 9 ++++----- CHANGELOG.md | 5 +++++ requirements.txt | 1 - setup.py | 4 ++-- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 05927f4c..b072be05 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -33,7 +33,6 @@ jobs: - '2.11' - 'master' python: - - '3.6' - '3.7' - '3.8' - '3.9' @@ -157,7 +156,7 @@ jobs: path: 'release/linux/x86_64/2.10/' - bundle: 'sdk-gc64-2.11.0-0-r563.linux.x86_64' path: 'release/linux/x86_64/2.11/' - python: ['3.6', '3.11'] + python: ['3.7', '3.11'] steps: - name: Clone the connector @@ -225,7 +224,7 @@ jobs: tarantool: - '2.11' python: - - '3.6' + - '3.7' - '3.11' steps: - name: Clone the connector repo @@ -278,7 +277,7 @@ jobs: tarantool: - '2.11.0.g247a9a418-1' python: - - '3.6' + - '3.7' - '3.11' steps: @@ -348,7 +347,7 @@ jobs: tarantool: - '2.11.0.g247a9a418-1' python: - - '3.6' + - '3.7' - '3.11' steps: - name: Clone the connector repo diff --git a/CHANGELOG.md b/CHANGELOG.md index 28f93b19..8edd47e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased + +### Changed +- Drop Python 3.6 support (PR #327). + ## 1.2.0 - 2024-03-27 ### Added diff --git a/requirements.txt b/requirements.txt index d88dbea3..afcf7b25 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ msgpack pytz -dataclasses; python_version <= '3.6' diff --git a/setup.py b/setup.py index 87bcc4c4..3fa65c9c 100755 --- a/setup.py +++ b/setup.py @@ -112,7 +112,7 @@ def get_dependencies(filename): command_options=command_options, install_requires=get_dependencies('requirements.txt'), setup_requires=[ - 'setuptools_scm==6.4.2', + 'setuptools_scm==7.1.0', ], - python_requires='>=3.6', + python_requires='>=3.7', ) From b32cab7ab9d6c906a2bcdd6f68f1797368c99bd7 Mon Sep 17 00:00:00 2001 From: Georgy Moiseev Date: Wed, 4 Sep 2024 11:09:53 +0300 Subject: [PATCH 5/5] ci: bump installer script --- .github/workflows/packing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/packing.yml b/.github/workflows/packing.yml index c719b31a..6613f218 100644 --- a/.github/workflows/packing.yml +++ b/.github/workflows/packing.yml @@ -324,7 +324,7 @@ jobs: - name: Install tarantool run: | - curl -L https://tarantool.io/yeohchA/release/2/installer.sh | bash + curl -L https://tarantool.io/release/2/installer.sh | bash dnf install -y tarantool tarantool-devel - name: Download RPM artifacts @@ -488,7 +488,7 @@ jobs: - name: Install tarantool ${{ matrix.tarantool }} run: | apt install -y curl - curl -L https://tarantool.io/yeohchA/release/2/installer.sh | bash + curl -L https://tarantool.io/release/2/installer.sh | bash apt install -y tarantool tarantool-dev env: DEBIAN_FRONTEND: noninteractive