Document thought on bandit on .template files

See #175
2025-12-30 18:00:17 -06:00 · 2025-07-30 22:38:48 +02:00
parent 48cf7e8e90
commit 05fcfbe359
1 changed files with 3 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,6 +62,9 @@ jobs:
          # set +o pipefail disables GH's default "fail the whole pipeline if any stage fails"
          set +e +o pipefail

+          # Note: .py files only; at the time of writing I checked the conf_templates/*.template
+          # also; but they had 2 False positives only (SECRET_KEY lives there by design) and I
+          # don't want to pollute templates that other people deal with with "nosec".
          bandit_json_output=$( \
            git ls-files \
              | grep '\.py$' \