chore: improve ci config (#10612)

wmontwe · web-flow · commit 0e9adf41e039 · 2026-03-03T08:50:44.000Z
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -26,3 +26,15 @@ updates:
     commit-message:
       prefix: chore
       include: scope
+  - package-ecosystem: pip
+    open-pull-requests-limit: 10
+    directories:
+      - "/scripts/*"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "type: dependency"
+      - "type: pip"
+    commit-message:
+      prefix: chore
+      include: scope
diff --git a/.github/workflows/build-scripts.yml b/.github/workflows/build-scripts.yml
@@ -0,0 +1,37 @@
+---
+name: Build - Scripts
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'scripts/**'
+      - '.github/workflows/build-scripts.yml'
+  pull_request:
+    paths:
+      - 'scripts/**'
+      - '.github/workflows/build-scripts.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-scripts:
+    name: Build scripts
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+
+      - name: Setup Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # @v6.2.0
+        with:
+          python-version: '3.14'
+
+      - name: Run Python script tests
+        run: bash scripts/test_python_scripts.sh
diff --git a/.github/workflows/pr-auto-assign-reviewer.yml b/.github/workflows/pr-auto-assign-reviewer.yml
@@ -7,6 +7,9 @@ on:
   pull_request_target:
     types: [review_requested]
 
+permissions:
+  contents: none
+
 jobs:
   pr-auto-assign-reviewer:
     permissions:
diff --git a/.github/workflows/pr-dependabot-dependency-guard-update.yml b/.github/workflows/pr-dependabot-dependency-guard-update.yml
@@ -22,12 +22,10 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   pr-update-dependency-guard:
-    permissions:
-      contents: write
     if: github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == 'thunderbird/thunderbird-android'
     runs-on: ubuntu-latest
     environment: botmobile
diff --git a/.github/workflows/pr-label-tb-team.yml b/.github/workflows/pr-label-tb-team.yml
@@ -7,6 +7,9 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
+permissions:
+  contents: none
+
 jobs:
   label-tb-team:
     permissions:
diff --git a/.github/workflows/pr-opened.yml b/.github/workflows/pr-opened.yml
@@ -8,6 +8,9 @@ on:
     branches: [beta, release]
     types: [opened]
 
+permissions:
+  contents: none
+
 jobs:
   pr-opened:
     permissions:
diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml
@@ -2,19 +2,14 @@
 name: Security - Scorecard
 
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '19 22 * * 3'
   push:
     branches: [ "main" ]
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   security-scorecard:
@@ -37,14 +32,6 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts.
diff --git a/mise.toml b/mise.toml
@@ -0,0 +1,3 @@
+[tools]
+java = "temurin-21"
+python = "3.14"
diff --git a/scripts/README.md b/scripts/README.md
@@ -6,10 +6,10 @@ Various scripts for CI/CD, release automation, and development tasks.
 
 ### Setup
 
-Install dependencies (all pinned and CVE-free):
+Install direct dependencies (hashed, no transitive deps):
 
 ```bash
-pip install -r requirements.txt
+python3 -m pip install -r scripts/requirements.txt
 ```
 
 ### Available Scripts
@@ -29,7 +29,7 @@ It's recommended to use a virtual environment:
 ```bash
 python3 -m venv venv
 source venv/bin/activate  # On macOS/Linux
-pip install -r requirements.txt
+python3 -m pip install -r scripts/requirements.txt
 ```
 
 To deactivate: `deactivate`
@@ -39,7 +39,7 @@ To deactivate: `deactivate`
 To verify everything works:
 
 ```bash
-./test_python_scripts.sh
+./scripts/test_python_scripts.sh
 ```
 
 This creates a temporary environment, installs dependencies, runs tests, and cleans up automatically.
diff --git a/scripts/requirements.txt b/scripts/requirements.txt
@@ -1,7 +1,7 @@
 # Python dependencies for scripts in this directory
 # Install with: pip install -r requirements.txt
 
-# Direct dependencies - all pinned and CVE-free
+# Direct dependencies - all pinned by version and hash
 
 # Required by: scripts/ci/setup_release_automation
 # Cryptography library for GitHub secret encryption
diff --git a/scripts/test_python_scripts.sh b/scripts/test_python_scripts.sh
@@ -5,7 +5,25 @@
 set -e
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Cleanup function
+cleanup() {
+    if [ -n "$VENV_DIR" ] && [ -d "$VENV_DIR" ]; then
+        deactivate 2>/dev/null || true
+        rm -rf "$VENV_DIR"
+    fi
+}
+
+# Print guidance when dependency installs fail under --require-hashes.
+on_install_error() {
+    echo ""
+    echo "Dependency install failed. See scripts/README.md for updating requirements.txt hashes."
+}
+
+# Ensure cleanup happens on exit
+trap cleanup EXIT
+# Print instructions if a command fails (e.g., missing hashes).
+trap on_install_error ERR
 
 echo "Python Scripts Test"
 echo "==================="
@@ -26,7 +44,6 @@ source "$VENV_DIR/bin/activate"
 
 # Install dependencies
 echo "Installing dependencies..."
-pip install --quiet --upgrade pip
 pip install --quiet -r "$SCRIPT_DIR/requirements.txt"
 echo "✓ Dependencies installed"
 echo ""
@@ -38,17 +55,5 @@ python3 -m py_compile "$SCRIPT_DIR/ci/render-notes.py" && echo "  ✓ render-not
 python3 -m py_compile "$SCRIPT_DIR/ci/setup_release_automation" && echo "  ✓ setup_release_automation"
 python3 -m py_compile "$SCRIPT_DIR/ci/merges/merge_gradle.py" && echo "  ✓ merge_gradle.py"
 
-TEST_RESULT=$?
 echo ""
-
-# Clean up
-deactivate
-rm -rf "$VENV_DIR"
-
-if [ $TEST_RESULT -eq 0 ]; then
-    echo "✓ All tests passed!"
-    exit 0
-else
-    echo "✗ Some tests failed"
-    exit 1
-fi
+echo "✓ All tests passed!"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[tools]`
	`2`	`+java = "temurin-21"`
	`3`	`+python = "3.14"`