Potential fix for code scanning alert no. 34: Clear-text logging of sensitive information #528
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 6 * * 1" | |
| permissions: | |
| contents: read | |
| jobs: | |
| pip-audit: | |
| name: pip-audit (base/dev lockfile) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install audit tool in isolated environment | |
| run: | | |
| python -m venv .venv-audit | |
| . .venv-audit/bin/activate | |
| python -m pip install --upgrade pip | |
| pip install pip-audit | |
| - name: Run pip-audit (base lockfile export) | |
| run: | | |
| . .venv-audit/bin/activate | |
| uv export --format requirements-txt --no-dev --no-emit-project --frozen -o /tmp/teaagent-base-requirements.txt | |
| pip-audit -r /tmp/teaagent-base-requirements.txt | |
| - name: Run pip-audit (dev lockfile visibility) | |
| if: github.event_name == 'schedule' | |
| run: | | |
| . .venv-audit/bin/activate | |
| uv export --format requirements-txt --no-emit-project --frozen -o /tmp/teaagent-dev-requirements.txt | |
| pip-audit -r /tmp/teaagent-dev-requirements.txt | |
| optional-extra-pip-audit: | |
| name: optional-extra pip-audit (${{ matrix.extra }}) | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| extra: | |
| - managed-google-adk | |
| - managed-vertex | |
| - playwright | |
| - telemetry | |
| - oauth | |
| - wasm | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install audit tool in isolated environment | |
| run: | | |
| python -m venv .venv-audit | |
| . .venv-audit/bin/activate | |
| python -m pip install --upgrade pip | |
| pip install pip-audit | |
| - name: Run pip-audit (optional extra) | |
| run: | | |
| . .venv-audit/bin/activate | |
| uv export --format requirements-txt --extra ${{ matrix.extra }} --no-dev --no-emit-project --frozen -o /tmp/teaagent-${{ matrix.extra }}-requirements.txt | |
| pip-audit -r /tmp/teaagent-${{ matrix.extra }}-requirements.txt | |
| codeql: | |
| name: CodeQL (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| packages: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| - language: python | |
| build-mode: none | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{ matrix.language }}" |