Sync pre-commit, workflow bandit versions (manually) (NVIDIA#913)

rwgk · web-flow · commit fa07cf58ef5c · 2025-09-03T14:27:51.000-04:00
* sync pre-commit, workflow bandit versions (manually) * Move `KEEP IN SYNC` comment on `rev` line, to make it more likely that it does not get overlooked after running `pre-commit autoupdate --freeze` * Undo change in .github/dependabot.yml (see NVIDIA#913 (comment))
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -20,4 +20,9 @@ jobs:
       security-events: write
     steps:
       - name: Perform Bandit Analysis
-        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de
+        # KEEP IN SYNC WITH bandit rev in .pre-commit-config.yaml
+        # Current runner uses Python 3.8, so the action installs bandit==1.7.10
+        # via `pip install bandit[sarif]`. If runner Python moves to >=3.9,
+        # the action will resolve to 1.8.x and you'll need to bump pre-commit.
+        # (Bandit >=1.8.0 dropped Python 3.8 via Requires-Python metadata.)
+        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de  # v1.0.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,7 +9,6 @@ ci:
     autoupdate_branch: ''
     autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
     autoupdate_schedule: quarterly
-    skip: [bandit]
     submodules: false
 
 # Please update the rev: SHAs below with this command:
@@ -66,7 +65,7 @@ repos:
     - id: rst-inline-touching-normal
 
   - repo: https://github.com/PyCQA/bandit
-    rev: 2d0b675b04c80ae42277e10500db06a0a37bae17  # frozen: 1.8.6
+    rev: "36fd65054fc8864b4037d0918904f9331512feb5"  # frozen: 1.7.10 KEEP IN SYNC WITH .github/workflows/bandit.yml
     hooks:
       - id: bandit
         args:
