From 63acab96cfe5da378cb05cf07b8fda72d1827cc4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Nov 2025 09:23:32 -0600 Subject: [PATCH 1/4] Bump the actions group with 2 updates (#2608) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dist.yml | 2 +- .github/workflows/zizmor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml index b4d4a2e78..7530e73e4 100644 --- a/.github/workflows/dist.yml +++ b/.github/workflows/dist.yml @@ -61,7 +61,7 @@ jobs: - name: Set up QEMU if: runner.os == 'Linux' - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 with: # setup-qemu-action by default uses `tonistiigi/binfmt:latest` image, # which is out of date. This causes seg faults during build. diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index c991de2e6..6d78564f8 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -18,4 +18,4 @@ jobs: with: persist-credentials: false - name: Run zizmor 🌈 - uses: zizmorcore/zizmor-action@da5ac40c5419dcf7f21630fb2f95e725ae8fb9d5 + uses: zizmorcore/zizmor-action@1aba86d8e1245be7a9ca003d46fcc85a76e6aa61 From 44a58f1650c5c4d32056f72867037cf870938c45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Nov 2025 12:22:00 -0600 Subject: [PATCH 2/4] Bump pyright from 1.1.406 to 1.1.407 (#2603) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jib Co-authored-by: Steven Silvester --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index ef7140edd..a76189c57 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -60,7 +60,7 @@ mockupdb = [ perf = ["simplejson>=3.17.0"] typing = [ "mypy==1.18.2", - "pyright==1.1.406", + "pyright==1.1.407", "typing_extensions", "pip" ] diff --git a/uv.lock b/uv.lock index c021943b0..d31990880 100644 --- a/uv.lock +++ b/uv.lock @@ -1309,7 +1309,7 @@ pip = [{ name = "pip" }] typing = [ { name = "mypy", specifier = "==1.18.2" }, { name = "pip" }, - { name = "pyright", specifier = "==1.1.406" }, + { name = "pyright", specifier = "==1.1.407" }, { name = "typing-extensions" }, ] @@ -1359,15 +1359,15 @@ wheels = [ [[package]] name = "pyright" -version = "1.1.406" +version = "1.1.407" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "nodeenv" }, { name = "typing-extensions" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/f7/16/6b4fbdd1fef59a0292cbb99f790b44983e390321eccbc5921b4d161da5d1/pyright-1.1.406.tar.gz", hash = "sha256:c4872bc58c9643dac09e8a2e74d472c62036910b3bd37a32813989ef7576ea2c", size = 4113151, upload-time = "2025-10-02T01:04:45.488Z" } +sdist = { url = "https://files.pythonhosted.org/packages/a6/1b/0aa08ee42948b61745ac5b5b5ccaec4669e8884b53d31c8ec20b2fcd6b6f/pyright-1.1.407.tar.gz", hash = "sha256:099674dba5c10489832d4a4b2d302636152a9a42d317986c38474c76fe562262", size = 4122872, upload-time = "2025-10-24T23:17:15.145Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/f6/a2/e309afbb459f50507103793aaef85ca4348b66814c86bc73908bdeb66d12/pyright-1.1.406-py3-none-any.whl", hash = "sha256:1d81fb43c2407bf566e97e57abb01c811973fdb21b2df8df59f870f688bdca71", size = 5980982, upload-time = "2025-10-02T01:04:43.137Z" }, + { url = "https://files.pythonhosted.org/packages/dc/93/b69052907d032b00c40cb656d21438ec00b3a471733de137a3f65a49a0a0/pyright-1.1.407-py3-none-any.whl", hash = "sha256:6dd419f54fcc13f03b52285796d65e639786373f433e243f8b94cf93a7444d21", size = 5997008, upload-time = "2025-10-24T23:17:13.159Z" }, ] [[package]] From 71e0c950e14854e35d280d64950f132a497ffaca Mon Sep 17 00:00:00 2001 From: thanhnguyen-mdb Date: Thu, 20 Nov 2025 15:02:46 -0600 Subject: [PATCH 3/4] PYTHON-5433 - Added SBOM update automation (#2617) --- .github/workflows/sbom.yml | 88 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 000000000..fcf39902d --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,88 @@ +name: Generate SBOM + +# This workflow uses cdxgen and publishes an sbom.json artifact. +# It runs on manual trigger or when package files change on main branch, +# and creates a PR with the updated SBOM. +# Internal documentation: go/sbom-scope + +on: + workflow_dispatch: {} + push: + branches: ['master'] + paths: + - 'pyproject.toml' + - 'requirements.txt' + +permissions: + contents: write + pull-requests: write + +jobs: + sbom: + name: Generate SBOM and Create PR + runs-on: ubuntu-latest + concurrency: + group: sbom-${{ github.ref }} + cancel-in-progress: false + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - name: Generate SBOM + run: | + python -m venv .venv + source .venv/bin/activate + pip install -r requirements.txt + pip install . + npx @cyclonedx/cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --no-validate --json-pretty -o sbom.json + env: + FETCH_LICENSE: true + + - name: Upload SBOM artifact + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json + if-no-files-found: error + + - name: Create Pull Request + uses: peter-evans/create-pull-request@b4733b9419fd47bbfa1807b15627e17cd70b5b22 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore: Update SBOM after dependency changes' + branch: auto-update-sbom-${{ github.run_id }} + delete-branch: true + title: 'chore: Update SBOM' + body: | + ## Automated SBOM Update + + This PR was automatically generated because dependency manifest files changed. + + ### Changes + - Updated `sbom.json` to reflect current dependencies + + ### Verification + The SBOM was generated using cdxgen with the current Python environment. + + ### Triggered by + - Commit: ${{ github.sha }} + - Workflow run: ${{ github.run_id }} + + --- + _This PR was created automatically by the [SBOM workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})_ + labels: | + sbom + automated + dependencies + + - name: Cleanup + if: always() + run: rm -rf .venv From 47da699a8737cd63f9b51a3549c7bcf633c99838 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 18:41:46 -0600 Subject: [PATCH 4/4] chore: Update SBOM (#2619) Co-authored-by: blink1073 <2096628+blink1073@users.noreply.github.com> --- sbom.json | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 157 insertions(+), 9 deletions(-) diff --git a/sbom.json b/sbom.json index 56e27f536..d2e02eeb7 100644 --- a/sbom.json +++ b/sbom.json @@ -1,11 +1,159 @@ { - "metadata": { - "timestamp": "2024-05-02T17:36:12.698229+00:00" + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:f91a87bf-a37f-4c1e-805f-142f60b2c960", + "version": 1, + "metadata": { + "timestamp": "2025-11-20T21:30:34Z", + "tools": { + "components": [ + { + "group": "@cyclonedx", + "name": "cdxgen", + "version": "11.11.0", + "purl": "pkg:npm/%40cyclonedx/cdxgen@11.11.0", + "type": "application", + "bom-ref": "pkg:npm/@cyclonedx/cdxgen@11.11.0", + "author": "OWASP Foundation", + "publisher": "OWASP Foundation" + } + ] }, - "components": [], - "serialNumber": "urn:uuid:9876a8a6-060e-486f-b128-910aecf0fe7b", - "version": 1, - "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", - "bomFormat": "CycloneDX", - "specVersion": "1.5" - } \ No newline at end of file + "authors": [ + { + "name": "OWASP Foundation" + } + ], + "lifecycles": [ + { + "phase": "build" + } + ], + "component": { + "name": "pymongo", + "description": "PyMongo - the Official MongoDB Python driver", + "authors": [ + { + "name": "The MongoDB Python Team" + } + ], + "tags": [ + "bson", + "gridfs", + "mongo", + "mongodb", + "pymongo" + ], + "properties": [ + { + "name": "cdx:pypi:requiresPython", + "value": ">=3.9" + }, + { + "name": "SrcFile", + "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/pyproject.toml" + } + ], + "type": "application", + "bom-ref": "pkg:pypi/pymongo@latest", + "purl": "pkg:pypi/pymongo@latest", + "version": "latest", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "url": "https://opensource.org/licenses/Apache-2.0" + } + } + ] + }, + "properties": [ + { + "name": "cdx:bom:componentTypes", + "value": "pypi" + }, + { + "name": "cdx:bom:componentSrcFiles", + "value": "pyproject.toml" + } + ] + }, + "components": [ + { + "group": "", + "name": "pymongo", + "version": "latest", + "purl": "pkg:pypi/pymongo@latest", + "type": "library", + "bom-ref": "pkg:pypi/pymongo@latest", + "properties": [ + { + "name": "SrcFile", + "value": "pyproject.toml" + } + ], + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/.venv" + } + ] + } + } + }, + { + "author": "Bob Halley ", + "group": "", + "name": "dnspython", + "version": "2.8.0", + "description": "DNS toolkit", + "licenses": [ + { + "license": { + "id": "ISC", + "url": "https://opensource.org/licenses/ISC" + } + } + ], + "purl": "pkg:pypi/dnspython@2.8.0", + "type": "library", + "bom-ref": "pkg:pypi/dnspython@2.8.0", + "properties": [ + { + "name": "SrcFile", + "value": "pyproject.toml" + } + ], + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/runner/work/mongo-python-driver/mongo-python-driver/.venv" + } + ] + } + } + } + ], + "dependencies": [ + { + "ref": "pkg:pypi/dnspython@2.8.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pymongo@latest", + "dependsOn": [ + "pkg:pypi/dnspython@2.8.0" + ] + } + ] +} \ No newline at end of file