Skip to content

fix: Recreate SnmpEngine after each call. #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abaczek merged 2 commits into from
Jan 8, 2026
Merged

fix: Recreate SnmpEngine after each call. #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3bfc067
ci: CI update.
mchromin Jan 2, 2026
454c90b
fix: Recreate SnmpEngine after each call.
mchromin Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
23 changes: 23 additions & 0 deletions .github/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
fail-on-severity: 'low'
allow-licenses:
- 'BSD-2-Clause'
- 'BSD-3-Clause'
- 'BSD-3-Clause-Clear'
- 'BSD-2-Clause-Views'
- 'MIT'
- 'Apache-2.0'
- 'ISC'
- 'BlueOak-1.0.0'
- '0BSD'
- 'Python-2.0'
- 'LGPL-3.0'
- 'MPL-2.0'
fail-on-scopes:
- 'runtime'
- 'development'
- 'unknown'
license-check: true
vulnerability-check: true
allow-dependencies-licenses:
- 'pkg:pypi/PyGithub@2.2.0'
- 'pkg:pypi/psycopg2-binary'
205 changes: 0 additions & 205 deletions .github/workflows/build_upload_whl.yml
View file
Open in desktop

This file was deleted.

17 changes: 17 additions & 0 deletions .github/workflows/check_code_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Check Code Standard

on:
pull_request:
types: [opened, synchronize]

jobs:
run_check_standard:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
uses: intel/mfd/.github/workflows/check_code_standard.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
PYTHON_VERSION: ${{ matrix.python_version }}
Comment on lines +9 to +17

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly declare a permissions: block in the workflow, restricting the GITHUB_TOKEN to the minimum privileges needed. Since this workflow only runs on pull_request and delegates to a reusable workflow that presumably reads code and PR metadata, a safe and minimal set is to grant contents: read and pull-requests: read. This prevents unintended write access by default while still allowing the workflow to inspect the repository contents and pull request information.

The best way to fix this specific file without changing existing functionality is to add a top‑level permissions: section (applies to all jobs) just after the on: block and before jobs:. This will ensure all jobs in this workflow, including run_check_standard, run with a read‑only token appropriate for checks. No imports or additional methods are needed, as this is purely a YAML configuration change in .github/workflows/check_code_standard.yml.

Concretely:

  • Edit .github/workflows/check_code_standard.yml.
  • Insert a new permissions: block at the root level (same indentation as on: and jobs:).
  • Set:
    • contents: read
    • pull-requests: read
Suggested changeset 1
.github/workflows/check_code_standard.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_code_standard.yml b/.github/workflows/check_code_standard.yml
--- a/.github/workflows/check_code_standard.yml
+++ b/.github/workflows/check_code_standard.yml
@@ -4,6 +4,10 @@
   pull_request:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   run_check_standard:
     strategy:
EOF
@@ -4,6 +4,10 @@
pull_request:
types: [opened, synchronize]

permissions:
contents: read
pull-requests: read

jobs:
run_check_standard:
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
12 changes: 12 additions & 0 deletions .github/workflows/check_pr_format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Title + Commit Validation

on:
pull_request:
types: [opened, synchronize]

jobs:
validate_pr_format:
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
Comment on lines +9 to +12

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, this should be fixed by explicitly setting the GITHUB_TOKEN permissions for the workflow or for the specific job to the minimum required. Since the snippet only shows a job that calls a reusable workflow and we cannot see internals of the called workflow, the safest non-breaking change within this file is to add a conservative permissions block at the job level that grants contents: read only. This preserves the ability to read repository data (which most checks require) while avoiding unnecessary write permissions.

Concretely, in .github/workflows/check_pr_format.yml, under the validate_pr_format: job definition (line 8), add a permissions: section indented to match the job keys, e.g. between the validate_pr_format: line and the uses: line. The block should set contents: read. No imports or other files are involved since this is a YAML workflow file. This change limits the job’s GITHUB_TOKEN to read-only repository contents access unless the called reusable workflow further restricts it.

Suggested changeset 1
.github/workflows/check_pr_format.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_pr_format.yml b/.github/workflows/check_pr_format.yml
--- a/.github/workflows/check_pr_format.yml
+++ b/.github/workflows/check_pr_format.yml
@@ -6,6 +6,8 @@
 
 jobs:
   validate_pr_format:
+    permissions:
+      contents: read
     uses: intel/mfd/.github/workflows/check_pr_format.yml@main
     with:
       REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
EOF
@@ -6,6 +6,8 @@

jobs:
validate_pr_format:
permissions:
contents: read
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
Copilot is powered by AI and may make mistakes. Always verify output.
93 changes: 6 additions & 87 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,4 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
name: CodeQL Advanced

on:
pull_request:
Expand All @@ -18,81 +7,11 @@ on:
branches: [ "main" ]

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: read

codeql_analysis:
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: python
build-mode: none
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4

# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
language: ['actions', 'python']
uses: intel/mfd/.github/workflows/codeql.yml@main
with:
LANGUAGE: ${{ matrix.language }}
9 changes: 9 additions & 0 deletions .github/workflows/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: Dependency Review

on:
pull_request:
types: [opened, synchronize]

jobs:
dependency_review:
uses: intel/mfd/.github/workflows/dependency_review.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To fix the problem, explicitly define a permissions block that grants only the minimal privileges needed by this workflow. Since this workflow’s only job is to call a reusable workflow for dependency review, and we do not see it performing any writes itself, a conservative and generally safe default is permissions: contents: read at the workflow level. This limits the GITHUB_TOKEN to read-only access to repository contents, which is sufficient for dependency scanning in most setups.

Concretely, in .github/workflows/dependency_review.yml, add a permissions section near the top-level of the workflow, alongside name and on. Insert it after the name line and before the on block (or anywhere at the root level) so that it applies to all jobs, including dependency_review. No new imports or external dependencies are required; we only change the YAML to include:

permissions:
  contents: read

This change preserves existing functionality while constraining the default token permissions used by the reusable workflow.

Suggested changeset 1
.github/workflows/dependency_review.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
--- a/.github/workflows/dependency_review.yml
+++ b/.github/workflows/dependency_review.yml
@@ -1,5 +1,8 @@
 name: Dependency Review
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types: [opened, synchronize]
EOF
@@ -1,5 +1,8 @@
name: Dependency Review

permissions:
contents: read

on:
pull_request:
types: [opened, synchronize]
Copilot is powered by AI and may make mistakes. Always verify output.
Loading
Loading