From 370bd03a693c99b6a33ce2f5cd3b51b82553c204 Mon Sep 17 00:00:00 2001 From: Taylor Wilsdon Date: Tue, 17 Mar 2026 08:28:00 -0400 Subject: [PATCH] permissions for git workflows --- .github/workflows/check-maintainer-edits.yml | 4 +++ .github/workflows/docker-publish.yml | 2 ++ .github/workflows/publish-mcp-registry.yml | 2 ++ core/server.py | 6 ++-- pyproject.toml | 4 +-- tests/gchat/test_chat_tools.py | 10 +++++-- uv.lock | 30 +++----------------- 7 files changed, 24 insertions(+), 34 deletions(-) diff --git a/.github/workflows/check-maintainer-edits.yml b/.github/workflows/check-maintainer-edits.yml index 80bd76f..525c530 100644 --- a/.github/workflows/check-maintainer-edits.yml +++ b/.github/workflows/check-maintainer-edits.yml @@ -4,6 +4,10 @@ on: pull_request: types: [opened, synchronize, reopened, edited] +permissions: + pull-requests: read + issues: write + jobs: check-maintainer-edits: runs-on: ubuntu-latest diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 4a3a2d8..b457075 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -11,6 +11,8 @@ on: - main workflow_dispatch: +permissions: {} + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} diff --git a/.github/workflows/publish-mcp-registry.yml b/.github/workflows/publish-mcp-registry.yml index 22970cf..c70f5d2 100644 --- a/.github/workflows/publish-mcp-registry.yml +++ b/.github/workflows/publish-mcp-registry.yml @@ -6,6 +6,8 @@ on: - "v*" workflow_dispatch: +permissions: {} + jobs: publish: runs-on: ubuntu-latest diff --git a/core/server.py b/core/server.py index 861fa69..69f970e 100644 --- a/core/server.py +++ b/core/server.py @@ -348,7 +348,7 @@ def configure_server_for_http(): ) elif use_disk: try: - from key_value.aio.stores.disk import DiskStore + from key_value.aio.stores.filetree import FileTreeStore disk_directory = os.getenv( "WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY", "" @@ -363,7 +363,7 @@ def configure_server_for_http(): "~/.fastmcp/oauth-proxy" ) - client_storage = DiskStore(directory=disk_directory) + client_storage = FileTreeStore(data_directory=disk_directory) jwt_signing_key = validate_and_derive_jwt_key( jwt_signing_key_override, config.client_secret @@ -379,7 +379,7 @@ def configure_server_for_http(): fernet=Fernet(key=storage_encryption_key), ) logger.info( - "OAuth 2.1: Using DiskStore for FastMCP OAuth proxy client_storage (directory=%s)", + "OAuth 2.1: Using FileTreeStore for FastMCP OAuth proxy client_storage (directory=%s)", disk_directory, ) except ImportError as exc: diff --git a/pyproject.toml b/pyproject.toml index 38ac034..88bc702 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -59,7 +59,7 @@ workspace-mcp = "main:main" [project.optional-dependencies] disk = [ - "py-key-value-aio[disk]>=0.3.0", + "py-key-value-aio[filetree]>=0.3.0", ] valkey = [ "py-key-value-aio[valkey]>=0.3.0", @@ -84,7 +84,7 @@ dev = [ [dependency-groups] disk = [ - "py-key-value-aio[disk]>=0.3.0", + "py-key-value-aio[filetree]>=0.3.0", ] valkey = [ "py-key-value-aio[valkey]>=0.3.0", diff --git a/tests/gchat/test_chat_tools.py b/tests/gchat/test_chat_tools.py index 1fb4dc1..232b146 100644 --- a/tests/gchat/test_chat_tools.py +++ b/tests/gchat/test_chat_tools.py @@ -3,6 +3,8 @@ Unit tests for Google Chat MCP tools — attachment support """ import base64 +from urllib.parse import urlparse + import pytest from unittest.mock import AsyncMock, Mock, patch import sys @@ -271,10 +273,12 @@ async def test_download_uses_api_media_endpoint(): # Verify we used the API endpoint with attachmentDataRef.resourceName call_args = mock_client.get.call_args url_used = call_args.args[0] - assert "chat.googleapis.com" in url_used + parsed = urlparse(url_used) + assert parsed.scheme == "https" + assert parsed.hostname == "chat.googleapis.com" assert "alt=media" in url_used - assert "spaces/S/attachments/A" in url_used - assert "/messages/" not in url_used + assert "spaces/S/attachments/A" in parsed.path + assert "/messages/" not in parsed.path # Verify Bearer token assert call_args.kwargs["headers"]["Authorization"] == "Bearer fake-access-token" diff --git a/uv.lock b/uv.lock index c36b624..a14289c 100644 --- a/uv.lock +++ b/uv.lock @@ -423,15 +423,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4/defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61", size = 25604 }, ] -[[package]] -name = "diskcache" -version = "5.6.3" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/3f/21/1c1ffc1a039ddcc459db43cc108658f32c57d271d7289a2794e401d0fdb6/diskcache-5.6.3.tar.gz", hash = "sha256:2c3a3fa2743d8535d832ec61c2054a1641f41775aa7c556758a109941e33e4fc", size = 67916 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/3f/27/4570e78fc0bf5ea0ca45eb1de3818a23787af9b390c0b0a0033a1b8236f9/diskcache-5.6.3-py3-none-any.whl", hash = "sha256:5e31b2d5fbad117cc363ebaf6b689474db18a1f6438bc82358b024abd4c2ca19", size = 45550 }, -] - [[package]] name = "dnspython" version = "2.8.0" @@ -970,15 +961,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/7d/eb/b6260b31b1a96386c0a880edebe26f89669098acea8e0318bff6adb378fd/pathable-0.4.4-py3-none-any.whl", hash = "sha256:5ae9e94793b6ef5a4cbe0a7ce9dbbefc1eec38df253763fd0aeeacf2762dbbc2", size = 9592 }, ] -[[package]] -name = "pathvalidate" -version = "3.3.1" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/fa/2a/52a8da6fe965dea6192eb716b357558e103aea0a1e9a8352ad575a8406ca/pathvalidate-3.3.1.tar.gz", hash = "sha256:b18c07212bfead624345bb8e1d6141cdcf15a39736994ea0b94035ad2b1ba177", size = 63262 } -wheels = [ - { url = "https://files.pythonhosted.org/packages/9a/70/875f4a23bfc4731703a5835487d0d2fb999031bd415e7d17c0ae615c18b7/pathvalidate-3.3.1-py3-none-any.whl", hash = "sha256:5263baab691f8e1af96092fa5137ee17df5bdfbd6cff1fcac4d6ef4bc2e1735f", size = 24305 }, -] - [[package]] name = "platformdirs" version = "4.5.1" @@ -1038,10 +1020,6 @@ wheels = [ ] [package.optional-dependencies] -disk = [ - { name = "diskcache" }, - { name = "pathvalidate" }, -] filetree = [ { name = "aiofile" }, { name = "anyio" }, @@ -2116,7 +2094,7 @@ dev = [ { name = "twine" }, ] disk = [ - { name = "py-key-value-aio", extra = ["disk"] }, + { name = "py-key-value-aio", extra = ["filetree"] }, ] release = [ { name = "tomlkit" }, @@ -2141,7 +2119,7 @@ dev = [ { name = "twine" }, ] disk = [ - { name = "py-key-value-aio", extra = ["disk"] }, + { name = "py-key-value-aio", extra = ["filetree"] }, ] release = [ { name = "tomlkit" }, @@ -2167,7 +2145,7 @@ requires-dist = [ { name = "google-auth-oauthlib", specifier = ">=1.2.2" }, { name = "httpx", specifier = ">=0.28.1" }, { name = "py-key-value-aio", specifier = ">=0.3.0" }, - { name = "py-key-value-aio", extras = ["disk"], marker = "extra == 'disk'", specifier = ">=0.3.0" }, + { name = "py-key-value-aio", extras = ["filetree"], marker = "extra == 'disk'", specifier = ">=0.3.0" }, { name = "py-key-value-aio", extras = ["valkey"], marker = "extra == 'valkey'", specifier = ">=0.3.0" }, { name = "pyjwt", specifier = ">=2.12.0" }, { name = "pytest", marker = "extra == 'dev'", specifier = ">=8.3.0" }, @@ -2195,7 +2173,7 @@ dev = [ { name = "tomlkit", specifier = ">=0.13.3" }, { name = "twine", specifier = ">=5.0.0" }, ] -disk = [{ name = "py-key-value-aio", extras = ["disk"], specifier = ">=0.3.0" }] +disk = [{ name = "py-key-value-aio", extras = ["filetree"], specifier = ">=0.3.0" }] release = [ { name = "tomlkit", specifier = ">=0.13.3" }, { name = "twine", specifier = ">=5.0.0" },