Scan dependencies for vulnerabilities with pip-audit #1564
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan dependencies for vulnerabilities with pip-audit | |
| on: | |
| # Once per day | |
| schedule: | |
| - cron: "0 0 * * *" | |
| # Run on push to master branch | |
| push: | |
| branches: | |
| - master | |
| # Run on labeled pull requests | |
| pull_request: | |
| types: [labeled, synchronize] | |
| permissions: | |
| contents: read | |
| jobs: | |
| pip-audit: | |
| # Run on schedule or pull request with 'integration' label | |
| if: | | |
| (github.event_name == 'schedule' && github.ref == 'refs/heads/master') || | |
| (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'audit')) | |
| strategy: | |
| matrix: | |
| python: ["3.10", "3.11", "3.12", "3.13"] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install dependencies | |
| run: | | |
| sudo apt update -y | |
| sudo apt install -y apt-file cmake automake golang cargo npm clang | |
| sudo apt-file update | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | |
| - name: Install Python ${{ matrix.python }} | |
| run: uv python install ${{ matrix.python }} | |
| - name: Build project | |
| run: make dev | |
| - name: Run pip-audit | |
| uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 | |
| with: | |
| vulnerability-service: PyPI | |
| virtual-environment: .venv | |
| ignore-vulns: | | |
| GHSA-w596-4wvx-j9j6 |