From 258985d5797717acfbd16419c238b64da4c78e28 Mon Sep 17 00:00:00 2001
From: Paul Calnon <paul.calnon@gmail.com>
Date: Tue, 5 May 2026 19:47:48 -0500
Subject: [PATCH] ci: bump pip to >=26.1.1, drop CVE-2026-3219 ignore
 workaround

pip 26.1.1 is now released and no longer flagged for CVE-2026-3219
(concatenated tar/ZIP confusion). Verified locally with pip-audit
against pip 26.1.1: no known vulnerabilities.

Changes:
- All `pip install --upgrade pip` calls now require >=26.1.1, guarding
  against runner images that ship an older vulnerable pip.
- Removed `--ignore-vuln CVE-2026-3219` from `ci.yml` (security job)
  and `security-scan.yml`, plus the explanatory comment blocks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml              | 16 +++++++---------
 .github/workflows/scheduled-tests.yml |  2 +-
 .github/workflows/security-scan.yml   |  9 ++-------
 3 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0992475..53d7876 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -75,7 +75,7 @@ jobs:
 
       - name: Install pre-commit
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install pre-commit
 
       - name: Cache pre-commit hooks
@@ -149,7 +149,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Create required directories
@@ -226,7 +226,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Create required directories
@@ -285,7 +285,7 @@ jobs:
 
       - name: Install build tools
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install build twine
 
       - name: Build sdist and wheel
@@ -336,7 +336,7 @@ jobs:
       - name: Install project dependencies
         shell: bash -l {0}
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Generate Dependency Documentation
@@ -391,7 +391,7 @@ jobs:
 
       - name: Install security tools
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           # ``[sarif]`` extra installs the optional SARIF formatter (jschema-to-python).
           pip install "bandit[sarif]" pip-audit
 
@@ -433,9 +433,7 @@ jobs:
           echo "╚════════════════════════════════════════════════════════════╝"
           pip install -e ".[test]"
           pip freeze | grep -ivE "^juniper[-_]data[-_]client" > reports/security/requirements.txt
-          # --ignore-vuln CVE-2026-3219: pip 26.0.1 on the runner image
-          # has no fix available as of 2026-04-29.
-          pip-audit -r reports/security/requirements.txt --strict --desc on --ignore-vuln CVE-2026-3219 \
+          pip-audit -r reports/security/requirements.txt --strict --desc on \
             || (echo "::error::Critical/High vulnerabilities found in dependencies" && exit 1)
 
       - name: Upload Security Reports
diff --git a/.github/workflows/scheduled-tests.yml b/.github/workflows/scheduled-tests.yml
index 2071111..73cb471 100644
--- a/.github/workflows/scheduled-tests.yml
+++ b/.github/workflows/scheduled-tests.yml
@@ -55,7 +55,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]" || pip install -e ".[dev]" || pip install -e .
 
       - name: Run slow / integration tests
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 5937344..8bb36b6 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -21,7 +21,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install "bandit[sarif]" pip-audit
           pip install -e ".[dev]"
 
@@ -34,12 +34,7 @@ jobs:
           bandit -r juniper_data_client --confidence-level medium --severity-level medium
 
       - name: Run pip-audit (Dependency Vulnerabilities)
-        # --ignore-vuln CVE-2026-3219: pip 26.0.1 (pre-installed on the
-        # GitHub Actions runner image) is flagged for the concatenated
-        # tar/ZIP confusion issue. As of 2026-04-29 there is no fixed
-        # pip release. Re-evaluate and remove this flag when pip
-        # publishes a fix.
-        run: pip-audit --strict --desc on --ignore-vuln CVE-2026-3219
+        run: pip-audit --strict --desc on
 
       - name: Upload Security Reports
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1