From 15d84a13370820fb0396babac3c3bb16fad04246 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Wed, 22 Apr 2026 16:05:30 -0700 Subject: [PATCH] fix: resolve supply chain security code scanning alerts - Remove legacy Dockerfile (Ubuntu Trusty 14.04, Python 2, Ruby 2.4.1, references bintray.com which shut down 2021). It was never used by CI and generated recurring scanner alerts and dependabot noise. - Remove docker ecosystem from dependabot config since Dockerfile no longer exists. - Add --require-hashes --no-deps flags to pip install in CI workflow to enforce hash verification explicitly (alert #12). Resolves code scanning alerts #12, #14, #15, #16. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Zack Koppert --- .dockerignore | 1 - .github/dependabot.yaml | 13 +------------ .github/workflows/ci.yml | 2 +- Dockerfile | 39 --------------------------------------- 4 files changed, 2 insertions(+), 53 deletions(-) delete mode 100644 .dockerignore delete mode 100644 Dockerfile diff --git a/.dockerignore b/.dockerignore deleted file mode 100644 index 94143827..00000000 --- a/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -Dockerfile diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 802b7513..99c6ef14 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -25,15 +25,4 @@ updates: update-types: - 'minor' - 'patch' - - package-ecosystem: 'docker' - directory: '/' - schedule: - interval: 'weekly' - commit-message: - prefix: 'chore(deps)' - groups: - dependencies: - applies-to: version-updates - update-types: - - 'minor' - - 'patch' + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0cfb5cc5..e2ccba71 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: - name: Install Python dependencies run: | echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt - python -m pip install -r /tmp/requirements.txt + python -m pip install --require-hashes --no-deps -r /tmp/requirements.txt - name: Run rake run: | diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index eade13c8..00000000 --- a/Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -FROM ubuntu:trusty@sha256:64483f3496c1373bfd55348e88694d1c4d0c9b660dee6bfef5e12f43b9933b30 # trusty - -RUN apt-get update -qq -RUN apt-get install -y apt-transport-https - -RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 379CE192D401AB61 -RUN echo "deb https://dl.bintray.com/nxadm/rakudo-pkg-debs `lsb_release -cs` main" | tee -a /etc/apt/sources.list.d/rakudo-pkg.list -RUN apt-get update -qq - -RUN apt-get install -y \ - perl rakudo-pkg curl git build-essential python python-pip \ - libssl-dev libreadline-dev zlib1g-dev \ - libicu-dev cmake pkg-config - -ENV PATH $PATH:/opt/rakudo-pkg/bin -RUN install-zef-as-user && zef install Pod::To::HTML - -RUN curl -L http://cpanmin.us | perl - App::cpanminus -RUN cpanm --installdeps --notest Pod::Simple - -RUN pip install docutils==0.18.1 - -ENV PATH $PATH:/root/.rbenv/bin:/root/.rbenv/shims -RUN curl -fsSL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash -RUN rbenv install 2.4.1 -RUN rbenv global 2.4.1 -RUN rbenv rehash - -RUN gem install bundler -v 2.3.26 - -WORKDIR /data/github-markup -COPY github-markup.gemspec . -COPY Gemfile . -COPY Gemfile.lock . -COPY lib/github-markup.rb lib/github-markup.rb -RUN bundle - -ENV LC_ALL en_US.UTF-8 -RUN locale-gen en_US.UTF-8