From 05fcfbe3593775368b2ae19085720988bc09eab5 Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Wed, 30 Jul 2025 22:38:48 +0200
Subject: [PATCH] Document thought on bandit on .template files

See #175
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c33992d..63105eb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,6 +62,9 @@ jobs:
           # set +o pipefail disables GH's default "fail the whole pipeline if any stage fails"
           set +e +o pipefail
 
+          # Note: .py files only; at the time of writing I checked the conf_templates/*.template
+          # also; but they had 2 False positives only (SECRET_KEY lives there by design) and I
+          # don't want to pollute templates that other people deal with with "nosec".
           bandit_json_output=$( \
             git ls-files \
               | grep '\.py$' \