Skip to content

Commit e317201

Browse files
Switch CI from pip to uv with supply chain protection (#85)
Switches pythontests and da_build actions from pip to uv. (SuffolkLITLab/security#3) Changes: - Replaced setup-python and all pip calls with setup-uv and uv sync - Added UV_EXCLUDE_NEWER=7 days env var so only packages older than 7 days get installed - protects against supply chain attacks - Added uv audit in pythontests to scan for known CVEs - pytest, mypy and bandit now run through uv run - da_build uses uv pip install --system since it doesn't have a project environment Note: repos without [dependency-groups] in pyproject.toml fall back to plain uv sync - still need to figure out how to handle those (like ALThemeTemplate, ALRecipes, ALAnystate) that have no dev deps at all. --------- Co-authored-by: Bryce Willey <bryce.willey@suffolk.edu>
1 parent bdddb44 commit e317201

2 files changed

Lines changed: 43 additions & 33 deletions

File tree

da_build/action.yml

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,21 +20,25 @@ runs:
2020
steps:
2121
- uses: actions/checkout@v6
2222

23-
- name: Set up Python
24-
uses: actions/setup-python@v6
23+
- name: Install uv
24+
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
2525
with:
2626
python-version: ${{ inputs.python-version }}
2727

28+
- name: Set uv exclude-newer
29+
run: echo "UV_EXCLUDE_NEWER=7 days" >> $GITHUB_ENV
30+
shell: bash
31+
2832
- name: Install dependencies
29-
run: python -m pip install build "dayamlchecker>=1.2.0" --user
33+
run: uv tool install "dayamlchecker>=1.2.0"
3034
shell: bash
3135

3236
- name: Check syntax for all files
3337
run: python -m compileall . -q
3438
shell: bash
3539

3640
- name: Build a binary wheel and a source tarball
37-
run: python -m build --sdist --wheel --outdir dist/
41+
run: uv build --sdist --wheel --outdir dist/
3842
shell: bash
3943

4044
- name: Run YAML Checker
@@ -52,6 +56,7 @@ runs:
5256
if [ "${{ inputs.skip-templates }}" = "true" ]; then
5357
args+=(--skip-templates)
5458
fi
59+
5560
if [ -n "${{ inputs.ignore-urls }}" ]; then
5661
args+=(--ignore-urls "${{ inputs.ignore-urls }}")
5762
fi
@@ -65,7 +70,7 @@ runs:
6570
if [ "$checker_status" -ne 0 ]; then
6671
exit "$checker_status"
6772
fi
68-
73+
6974
# Surface warning lines as a single GitHub Actions annotation without failing the job.
7075
in_warning_block=false
7176
warning_text=""
@@ -80,7 +85,6 @@ runs:
8085
if [ -z "$line" ]; then
8186
continue
8287
fi
83-
8488
if [ -n "$warning_text" ]; then
8589
warning_text+=$'\n'
8690
fi
@@ -93,4 +97,4 @@ runs:
9397
escaped="${escaped//$'\n'/'%0A'}"
9498
echo "::warning title=URL checker::$escaped"
9599
fi
96-
shell: bash
100+
shell: bash

pythontests/action.yml

Lines changed: 32 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
name: Run python only tests
22
description: "Sets up running python tests for Assembly Line projects. Should work with both docassemble and non-docassemble projects"
3+
34
outputs:
45
tests-passed:
56
description: "If the tests passed"
@@ -10,48 +11,53 @@ runs:
1011
steps:
1112
- run: sudo apt-get update && sudo apt-get -y install libcurl4-openssl-dev build-essential python3-dev libldap2-dev libsasl2-dev slapd ldap-utils tox lcov libzbar0 libaugeas0 augeas-lenses
1213
shell: bash
14+
1315
- run: echo "ISUNITTEST=true" >> $GITHUB_ENV
1416
shell: bash
17+
1518
- uses: actions/checkout@v6
16-
- uses: actions/setup-python@v6
19+
20+
- name: Install uv
21+
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
1722
with:
1823
python-version: '3.12'
19-
cache: 'pip'
20-
cache-dependency-path: |
21-
pyproject.toml
22-
**/requirements.txt
23-
- run: python -m venv venv
24+
25+
- name: Set uv exclude-newer config
26+
run: echo "UV_EXCLUDE_NEWER=7 days" >> $GITHUB_ENV
2427
shell: bash
25-
- run: source venv/bin/activate
26-
shell: bash
27-
- run: pip install wheel pytest
28+
29+
- name: Install dependencies
30+
run: |
31+
if grep -q "\[dependency-groups\]" pyproject.toml 2>/dev/null; then
32+
uv sync --group dev
33+
else
34+
uv sync
35+
fi
2836
shell: bash
29-
- run: |
30-
if [ -n "$(find . -name requirements.txt)" ]; then
31-
pip install -v -r $(find . -name requirements.txt)
32-
else
33-
pip install -v --group dev .
34-
fi
35-
shell: bash
36-
- run: pip install -v --editable .
37-
shell: bash
37+
38+
#- name: Run uv audit
39+
#run: uv audit
40+
#shell: bash
41+
3842
- run: export PYTHONPATH=$PYTHONPATH:$GITHUB_WORKSPACE
3943
shell: bash
40-
- run: python -m mypy . --exclude '^build/' --explicit-package-bases
41-
shell: bash
44+
4245
- run: |
4346
if [[ -f docassemble/__init__.py ]]; then
4447
mv docassemble/__init__.py docassemble/__init__.py.bak
4548
fi
4649
shell: bash
50+
51+
- run: uv run mypy . --exclude '^build/' --explicit-package-bases
52+
shell: bash
53+
4754
- name: Run Bandit security scan
48-
run: |
49-
pip install bandit
50-
bandit -r . --exclude './scripts,./venv,./build' --severity-level=high
55+
run: uv tool run bandit -r . --exclude './scripts,./venv,./.venv,./build' --severity-level=high
5156
shell: bash
52-
- run: |
53-
pytest
54-
shell: bash
57+
58+
- run: uv run pytest
59+
shell: bash
60+
5561
- id: output-step
5662
run: echo "test-outputs=$?" >> $GITHUB_OUTPUT
5763
shell: bash

0 commit comments

Comments
 (0)