diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0992475..53d7876 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -75,7 +75,7 @@ jobs: - name: Install pre-commit run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install pre-commit - name: Cache pre-commit hooks @@ -149,7 +149,7 @@ jobs: - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install -e ".[test]" - name: Create required directories @@ -226,7 +226,7 @@ jobs: - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install -e ".[test]" - name: Create required directories @@ -285,7 +285,7 @@ jobs: - name: Install build tools run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install build twine - name: Build sdist and wheel @@ -336,7 +336,7 @@ jobs: - name: Install project dependencies shell: bash -l {0} run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install -e ".[test]" - name: Generate Dependency Documentation @@ -391,7 +391,7 @@ jobs: - name: Install security tools run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" # ``[sarif]`` extra installs the optional SARIF formatter (jschema-to-python). pip install "bandit[sarif]" pip-audit @@ -433,9 +433,7 @@ jobs: echo "╚════════════════════════════════════════════════════════════╝" pip install -e ".[test]" pip freeze | grep -ivE "^juniper[-_]data[-_]client" > reports/security/requirements.txt - # --ignore-vuln CVE-2026-3219: pip 26.0.1 on the runner image - # has no fix available as of 2026-04-29. - pip-audit -r reports/security/requirements.txt --strict --desc on --ignore-vuln CVE-2026-3219 \ + pip-audit -r reports/security/requirements.txt --strict --desc on \ || (echo "::error::Critical/High vulnerabilities found in dependencies" && exit 1) - name: Upload Security Reports diff --git a/.github/workflows/scheduled-tests.yml b/.github/workflows/scheduled-tests.yml index 2071111..73cb471 100644 --- a/.github/workflows/scheduled-tests.yml +++ b/.github/workflows/scheduled-tests.yml @@ -55,7 +55,7 @@ jobs: - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install -e ".[test]" || pip install -e ".[dev]" || pip install -e . - name: Run slow / integration tests diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 5937344..8bb36b6 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -21,7 +21,7 @@ jobs: - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade "pip>=26.1.1" pip install "bandit[sarif]" pip-audit pip install -e ".[dev]" @@ -34,12 +34,7 @@ jobs: bandit -r juniper_data_client --confidence-level medium --severity-level medium - name: Run pip-audit (Dependency Vulnerabilities) - # --ignore-vuln CVE-2026-3219: pip 26.0.1 (pre-installed on the - # GitHub Actions runner image) is flagged for the concatenated - # tar/ZIP confusion issue. As of 2026-04-29 there is no fixed - # pip release. Re-evaluate and remove this flag when pip - # publishes a fix. - run: pip-audit --strict --desc on --ignore-vuln CVE-2026-3219 + run: pip-audit --strict --desc on - name: Upload Security Reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1