chore(deps): bump the python group across 1 directory with 16 updates #124
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| # Supply-chain and secret-hygiene checks that run independently of the test matrix | |
| # so they gate every PR and push even when the unit tests are skipped. Three jobs: | |
| # - pip-audit: scans resolved Python dependencies for known CVEs (PyPI advisories). | |
| # - gitleaks: scans the repo / PR diff for committed secrets, even without a | |
| # developer running the local pre-commit hook. | |
| # - bandit: Python-specific static security analysis (SAST) of the package. | |
| on: | |
| push: | |
| branches: [main, master, develop] | |
| pull_request: | |
| branches: [main, master, develop] | |
| workflow_dispatch: | |
| # Least privilege: both jobs only need to read the repository contents. | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| pip-audit: | |
| name: pip-audit (dependency CVEs) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - name: Set up uv (provides uvx for pip-audit) | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| python-version: "3.12" | |
| enable-cache: true | |
| # Audit the project's full dependency closure (runtime + optional extras) by | |
| # resolving it from pyproject.toml into a requirements file, then scanning that. | |
| # Fails the job on any dependency with a known advisory. | |
| - name: Resolve dependency closure | |
| run: uv pip compile --all-extras --output-file requirements-audit.txt pyproject.toml | |
| - name: Audit dependencies | |
| run: uvx pip-audit --strict --requirement requirements-audit.txt | |
| gitleaks: | |
| name: gitleaks (secret scan) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| # Full history so the scan can diff the whole range on push, not just HEAD. | |
| fetch-depth: 0 | |
| - name: Run gitleaks | |
| uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| bandit: | |
| name: bandit (Python SAST) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - name: Set up uv (provides uvx for bandit) | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| python-version: "3.12" | |
| enable-cache: true | |
| # Static security analysis of the package source — a Python-focused second | |
| # opinion alongside CodeQL. Gates on MEDIUM+ severity findings; known false | |
| # positives are annotated inline with `# nosec <id>` + a justification. | |
| - name: Run bandit | |
| run: uvx bandit -r coderag -ll |