Merge branch 'master' into spec-resync-11-10-2025

2025-11-21 09:49:02 -05:00 · 2025-11-21 09:49:02 -05:00 · a18931f786
commit a18931f786
parent 254c3ed9c8 47da699a87
6 changed files with 252 additions and 16 deletions
--- a/.github/workflows/dist.yml
+++ b/.github/workflows/dist.yml
@ -61,7 +61,7 @@ jobs:

      - name: Set up QEMU
        if: runner.os == 'Linux'
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
        with:
          # setup-qemu-action by default uses `tonistiigi/binfmt:latest` image,
          # which is out of date. This causes seg faults during build.
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@ -0,0 +1,88 @@
+name: Generate SBOM
+
+# This workflow uses cdxgen and publishes an sbom.json artifact.
+# It runs on manual trigger or when package files change on main branch,
+# and creates a PR with the updated SBOM.
+# Internal documentation: go/sbom-scope
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches: ['master']
+    paths:
+      - 'pyproject.toml'
+      - 'requirements.txt'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sbom:
+    name: Generate SBOM and Create PR
+    runs-on: ubuntu-latest
+    concurrency:
+      group: sbom-${{ github.ref }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Generate SBOM
+        run: |
+          python -m venv .venv
+          source .venv/bin/activate
+          pip install -r requirements.txt
+          pip install .
+          npx @cyclonedx/cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --no-validate --json-pretty -o sbom.json
+        env:
+          FETCH_LICENSE: true
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json
+          if-no-files-found: error
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: Update SBOM after dependency changes'
+          branch: auto-update-sbom-${{ github.run_id }}
+          delete-branch: true
+          title: 'chore: Update SBOM'
+          body: |
+            ## Automated SBOM Update
+
+            This PR was automatically generated because dependency manifest files changed.
+
+            ### Changes
+            - Updated `sbom.json` to reflect current dependencies
+
+            ### Verification
+            The SBOM was generated using cdxgen with the current Python environment.
+
+            ### Triggered by
+            - Commit: ${{ github.sha }}
+            - Workflow run: ${{ github.run_id }}
+
+            ---
+            _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_
+          labels: |
+            sbom
+            automated
+            dependencies
+
+      - name: Cleanup
+        if: always()
+        run: rm -rf .venv
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -18,4 +18,4 @@ jobs:
        with:
          persist-credentials: false
      - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@da5ac40c5419dcf7f21630fb2f95e725ae8fb9d5
+        uses: zizmorcore/zizmor-action@1aba86d8e1245be7a9ca003d46fcc85a76e6aa61
--- a/pyproject.toml
+++ b/pyproject.toml
@ -60,7 +60,7 @@ mockupdb = [
 perf = ["simplejson>=3.17.0"]
 typing = [
    "mypy==1.18.2",
-    "pyright==1.1.406",
+    "pyright==1.1.407",
    "typing_extensions",
    "pip"
 ]
--- a/sbom.json
+++ b/sbom.json
@ -1,11 +1,159 @@
 {
-    "metadata": {
-      "timestamp": "2024-05-02T17:36:12.698229+00:00"
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:f91a87bf-a37f-4c1e-805f-142f60b2c960",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-11-20T21:30:34Z",
+    "tools": {
+      "components": [
+        {
+          "group": "@cyclonedx",
+          "name": "cdxgen",
+          "version": "11.11.0",
+          "purl": "pkg:npm/%40cyclonedx/cdxgen@11.11.0",
+          "type": "application",
+          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.11.0",
+          "author": "OWASP Foundation",
+          "publisher": "OWASP Foundation"
+        }
+      ]
    },
-    "components": [],
-    "serialNumber": "urn:uuid:9876a8a6-060e-486f-b128-910aecf0fe7b",
-    "version": 1,
-    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
-    "bomFormat": "CycloneDX",
-    "specVersion": "1.5"
-  }
+    "authors": [
+      {
+        "name": "OWASP Foundation"
+      }
+    ],
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "component": {
+      "name": "pymongo",
+      "description": "PyMongo - the Official MongoDB Python driver",
+      "authors": [
+        {
+          "name": "The MongoDB Python Team"
+        }
+      ],
+      "tags": [
+        "bson",
+        "gridfs",
+        "mongo",
+        "mongodb",
+        "pymongo"
+      ],
+      "properties": [
+        {
+          "name": "cdx:pypi:requiresPython",
+          "value": ">=3.9"
+        },
+        {
+          "name": "SrcFile",
+          "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/pyproject.toml"
+        }
+      ],
+      "type": "application",
+      "bom-ref": "pkg:pypi/pymongo@latest",
+      "purl": "pkg:pypi/pymongo@latest",
+      "version": "latest",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "url": "https://opensource.org/licenses/Apache-2.0"
+          }
+        }
+      ]
+    },
+    "properties": [
+      {
+        "name": "cdx:bom:componentTypes",
+        "value": "pypi"
+      },
+      {
+        "name": "cdx:bom:componentSrcFiles",
+        "value": "pyproject.toml"
+      }
+    ]
+  },
+  "components": [
+    {
+      "group": "",
+      "name": "pymongo",
+      "version": "latest",
+      "purl": "pkg:pypi/pymongo@latest",
+      "type": "library",
+      "bom-ref": "pkg:pypi/pymongo@latest",
+      "properties": [
+        {
+          "name": "SrcFile",
+          "value": "pyproject.toml"
+        }
+      ],
+      "evidence": {
+        "identity": {
+          "field": "purl",
+          "confidence": 1,
+          "methods": [
+            {
+              "technique": "instrumentation",
+              "confidence": 1,
+              "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/.venv"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "author": "Bob Halley <halley@dnspython.org>",
+      "group": "",
+      "name": "dnspython",
+      "version": "2.8.0",
+      "description": "DNS toolkit",
+      "licenses": [
+        {
+          "license": {
+            "id": "ISC",
+            "url": "https://opensource.org/licenses/ISC"
+          }
+        }
+      ],
+      "purl": "pkg:pypi/dnspython@2.8.0",
+      "type": "library",
+      "bom-ref": "pkg:pypi/dnspython@2.8.0",
+      "properties": [
+        {
+          "name": "SrcFile",
+          "value": "pyproject.toml"
+        }
+      ],
+      "evidence": {
+        "identity": {
+          "field": "purl",
+          "confidence": 1,
+          "methods": [
+            {
+              "technique": "instrumentation",
+              "confidence": 1,
+              "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/.venv"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/dnspython@2.8.0",
+      "dependsOn": []
+    },
+    {
+      "ref": "pkg:pypi/pymongo@latest",
+      "dependsOn": [
+        "pkg:pypi/dnspython@2.8.0"
+      ]
+    }
+  ]
+}
--- a/uv.lock
+++ b/uv.lock
@ -1309,7 +1309,7 @@ pip = [{ name = "pip" }]
 typing = [
    { name = "mypy", specifier = "==1.18.2" },
    { name = "pip" },
-    { name = "pyright", specifier = "==1.1.406" },
+    { name = "pyright", specifier = "==1.1.407" },
    { name = "typing-extensions" },
 ]

@ -1359,15 +1359,15 @@ wheels = [

 [[package]]
 name = "pyright"
-version = "1.1.406"
+version = "1.1.407"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "nodeenv" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/f7/16/6b4fbdd1fef59a0292cbb99f790b44983e390321eccbc5921b4d161da5d1/pyright-1.1.406.tar.gz", hash = "sha256:c4872bc58c9643dac09e8a2e74d472c62036910b3bd37a32813989ef7576ea2c", size = 4113151, upload-time = "2025-10-02T01:04:45.488Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/a6/1b/0aa08ee42948b61745ac5b5b5ccaec4669e8884b53d31c8ec20b2fcd6b6f/pyright-1.1.407.tar.gz", hash = "sha256:099674dba5c10489832d4a4b2d302636152a9a42d317986c38474c76fe562262", size = 4122872, upload-time = "2025-10-24T23:17:15.145Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f6/a2/e309afbb459f50507103793aaef85ca4348b66814c86bc73908bdeb66d12/pyright-1.1.406-py3-none-any.whl", hash = "sha256:1d81fb43c2407bf566e97e57abb01c811973fdb21b2df8df59f870f688bdca71", size = 5980982, upload-time = "2025-10-02T01:04:43.137Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/93/b69052907d032b00c40cb656d21438ec00b3a471733de137a3f65a49a0a0/pyright-1.1.407-py3-none-any.whl", hash = "sha256:6dd419f54fcc13f03b52285796d65e639786373f433e243f8b94cf93a7444d21", size = 5997008, upload-time = "2025-10-24T23:17:13.159Z" },
 ]

 [[package]]