pyMDOC-CBOR/.github/workflows/dependency-security.yml at b2ef8a86bf5be249b7c6e1437d5bb866a2a85c17 · IdentityPython/pyMDOC-CBOR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Security audit of Python dependencies (known vulnerabilities)
name: Dependency security

on:
  push:
    branches: ["*"]
  pull_request:
    branches: ["*"]

jobs:
  pip-audit:
    name: pip-audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Create venv and install
        run: |
          python -m venv env
          source env/bin/activate
          pip install --upgrade pip pip-audit
          pip install "cbor2>=5.4.0" "cbor-diag>=1.1.0" "pycose>=1.0.1"
          pip install -r requirements-dev.txt

      # Exit 1 on any vulnerability (fail CI). --skip-editable whitelists pymdoccbor (local package, not on PyPI).
      # Ignore only unfixable: ecdsa CVE-2024-23342 (no upstream fix; see docs/SECURITY-DEPENDENCIES.md).
      - name: Run pip-audit (dependencies)
        run: |
          source env/bin/activate
          pip-audit --skip-editable --ignore-vuln CVE-2024-23342