Skip to content

chore(deps): bump the python group across 1 directory with 16 updates #124

chore(deps): bump the python group across 1 directory with 16 updates

chore(deps): bump the python group across 1 directory with 16 updates #124

Workflow file for this run

name: Security
# Supply-chain and secret-hygiene checks that run independently of the test matrix
# so they gate every PR and push even when the unit tests are skipped. Three jobs:
# - pip-audit: scans resolved Python dependencies for known CVEs (PyPI advisories).
# - gitleaks: scans the repo / PR diff for committed secrets, even without a
# developer running the local pre-commit hook.
# - bandit: Python-specific static security analysis (SAST) of the package.
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
workflow_dispatch:
# Least privilege: both jobs only need to read the repository contents.
permissions:
contents: read
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
pip-audit:
name: pip-audit (dependency CVEs)
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Set up uv (provides uvx for pip-audit)
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.12"
enable-cache: true
# Audit the project's full dependency closure (runtime + optional extras) by
# resolving it from pyproject.toml into a requirements file, then scanning that.
# Fails the job on any dependency with a known advisory.
- name: Resolve dependency closure
run: uv pip compile --all-extras --output-file requirements-audit.txt pyproject.toml
- name: Audit dependencies
run: uvx pip-audit --strict --requirement requirements-audit.txt
gitleaks:
name: gitleaks (secret scan)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
# Full history so the scan can diff the whole range on push, not just HEAD.
fetch-depth: 0
- name: Run gitleaks
uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
bandit:
name: bandit (Python SAST)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Set up uv (provides uvx for bandit)
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.12"
enable-cache: true
# Static security analysis of the package source — a Python-focused second
# opinion alongside CodeQL. Gates on MEDIUM+ severity findings; known false
# positives are annotated inline with `# nosec <id>` + a justification.
- name: Run bandit
run: uvx bandit -r coderag -ll