25441711719

Committed 06 May 2026 02:31PM UTC coverage: 92.915%. Remained the same

Build # 25441711719

Build Type

push

github

Committed by

web-flow

Commit Message

use sha pin (with comment) format for generated actions (#23312)

Per the GitHub Action best practices we recently enabled at #23249, we
should pin each action to a SHA so that the reference is actually
immutable.

This will -- I hope -- knock out a large chunk of the 421 alerts we
currently get from zizmor. The next followup would then be upgrades and
harmonizing the generated and none-generated pins.

Notice: This idea was suggested by Claude while going over pinact output
and I was surprised to see that post processing the yaml wasn't too
gross.

Coverage Stats

92206 of 99237 relevant lines covered (92.91%)

4.04 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.0

/src/python/pants/backend/python/lint/pyupgrade/rules.py

# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from __future__ import annotations

import logging
from dataclasses import dataclass

from pants.backend.python.lint.pyupgrade.skip_field import SkipPyUpgradeField
from pants.backend.python.lint.pyupgrade.subsystem import PyUpgrade
from pants.backend.python.target_types import PythonSourceField
from pants.backend.python.util_rules import pex
from pants.backend.python.util_rules.pex import VenvPexProcess, create_venv_pex
from pants.core.goals.fix import FixResult, FixTargetsRequest
from pants.core.util_rules.partitions import PartitionerType
from pants.engine.intrinsics import execute_process
from pants.engine.rules import collect_rules, implicitly, rule
from pants.engine.target import FieldSet, Target
from pants.util.logging import LogLevel
from pants.util.strutil import pluralize, softwrap

logger = logging.getLogger(__name__)


@dataclass(frozen=True)
class PyUpgradeFieldSet(FieldSet):
    required_fields = (PythonSourceField,)

    source: PythonSourceField

    @classmethod
    def opt_out(cls, tgt: Target) -> bool:
        return tgt.get(SkipPyUpgradeField).value


class PyUpgradeRequest(FixTargetsRequest):
    field_set_type = PyUpgradeFieldSet
    tool_subsystem = PyUpgrade  # type: ignore[assignment]
    partitioner_type = PartitionerType.DEFAULT_SINGLE_PARTITION


@rule(desc="Fix with pyupgrade", level=LogLevel.DEBUG)
async def pyupgrade_fix(request: PyUpgradeRequest.Batch, pyupgrade: PyUpgrade) -> FixResult:
    pyupgrade_pex = await create_venv_pex(**implicitly(pyupgrade.to_pex_request()))

    # NB: Pyupgrade isn't idempotent, but eventually converges. So keep running until it stops
    # changing code. See https://github.com/asottile/pyupgrade/issues/703
    # (Technically we could not do this. It doesn't break Pants since the next run on the CLI would
    # use the new file with the new digest. However that isn't the UX we want for our users.)
    input_digest = request.snapshot.digest
    for _ in range(10):  # Give the loop an upper bound to guard against infinite runs
        result = await execute_process(
            **implicitly(
                VenvPexProcess(
                    pyupgrade_pex,
                    argv=(*pyupgrade.args, *request.files),
                    input_digest=input_digest,
                    output_files=request.files,
                    description=f"Run pyupgrade on {pluralize(len(request.files), 'file')}.",
                    level=LogLevel.DEBUG,
                )
            )
        )
        if input_digest == result.output_digest:
            # Nothing changed, either due to failure or because it is fixed
            break
        input_digest = result.output_digest
    else:
        logger.error(
            softwrap(
                """
                Pants ran Pyupgrade continuously on the code 10 times and it changed all 10.

                Pyupgrade is not idempotent, but should eventually converge. This is either a bug in
                Pyupgrade, or Pyupgrade is still trying to converge on fixed code.
                """
            )
        )

    return await FixResult.create(request, result)


def rules():
    return (
        *collect_rules(),
        *PyUpgradeRequest.rules(),
        *pex.rules(),
    )

1	# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from __future__ import annotations	3✔
4
5	import logging	3✔
6	from dataclasses import dataclass	3✔
7
8	from pants.backend.python.lint.pyupgrade.skip_field import SkipPyUpgradeField	3✔
9	from pants.backend.python.lint.pyupgrade.subsystem import PyUpgrade	3✔
10	from pants.backend.python.target_types import PythonSourceField	3✔
11	from pants.backend.python.util_rules import pex	3✔
12	from pants.backend.python.util_rules.pex import VenvPexProcess, create_venv_pex	3✔
13	from pants.core.goals.fix import FixResult, FixTargetsRequest	3✔
14	from pants.core.util_rules.partitions import PartitionerType	3✔
15	from pants.engine.intrinsics import execute_process	3✔
16	from pants.engine.rules import collect_rules, implicitly, rule	3✔
17	from pants.engine.target import FieldSet, Target	3✔
18	from pants.util.logging import LogLevel	3✔
19	from pants.util.strutil import pluralize, softwrap	3✔
20
21	logger = logging.getLogger(__name__)	3✔
22
23
24	@dataclass(frozen=True)	3✔
25	class PyUpgradeFieldSet(FieldSet):	3✔
26	required_fields = (PythonSourceField,)	3✔
27
28	source: PythonSourceField	3✔
29
30	@classmethod	3✔
31	def opt_out(cls, tgt: Target) -> bool:	3✔
32	return tgt.get(SkipPyUpgradeField).value	×
33
34
35	class PyUpgradeRequest(FixTargetsRequest):	3✔
36	field_set_type = PyUpgradeFieldSet	3✔
37	tool_subsystem = PyUpgrade # type: ignore[assignment]	3✔
38	partitioner_type = PartitionerType.DEFAULT_SINGLE_PARTITION	3✔
39
40
41	@rule(desc="Fix with pyupgrade", level=LogLevel.DEBUG)	3✔
42	async def pyupgrade_fix(request: PyUpgradeRequest.Batch, pyupgrade: PyUpgrade) -> FixResult:	3✔
43	pyupgrade_pex = await create_venv_pex(**implicitly(pyupgrade.to_pex_request()))	3✔
44
45	# NB: Pyupgrade isn't idempotent, but eventually converges. So keep running until it stops
46	# changing code. See https://github.com/asottile/pyupgrade/issues/703
47	# (Technically we could not do this. It doesn't break Pants since the next run on the CLI would
48	# use the new file with the new digest. However that isn't the UX we want for our users.)
49	input_digest = request.snapshot.digest	3✔
50	for _ in range(10): # Give the loop an upper bound to guard against infinite runs	3✔
51	result = await execute_process(	3✔
52	**implicitly(
53	VenvPexProcess(
54	pyupgrade_pex,
55	argv=(pyupgrade.args, request.files),
56	input_digest=input_digest,
57	output_files=request.files,
58	description=f"Run pyupgrade on {pluralize(len(request.files), 'file')}.",
59	level=LogLevel.DEBUG,
60	)
61	)
62	)
63	if input_digest == result.output_digest:	3✔
64	# Nothing changed, either due to failure or because it is fixed
65	break	3✔
66	input_digest = result.output_digest	1✔
67	else:
68	logger.error(	×
69	softwrap(
70	"""
71	Pants ran Pyupgrade continuously on the code 10 times and it changed all 10.
72
73	Pyupgrade is not idempotent, but should eventually converge. This is either a bug in
74	Pyupgrade, or Pyupgrade is still trying to converge on fixed code.
75	"""
76	)
77	)
78
79	return await FixResult.create(request, result)	3✔
80
81
82	def rules():	3✔
83	return (	3✔
84	*collect_rules(),
85	*PyUpgradeRequest.rules(),
86	*pex.rules(),
87	)

pantsbuild / pants / 25441711719

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous