Skip to content

Preserve orchestration audit truth under concurrent execution #679

Preserve orchestration audit truth under concurrent execution

Preserve orchestration audit truth under concurrent execution #679

Workflow file for this run

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
schedule:
- cron: "0 6 * * 1"
permissions:
contents: read
jobs:
pip-audit:
name: pip-audit (base/dev lockfile)
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@v7
- name: Install audit tool in isolated environment
run: |
python -m venv .venv-audit
. .venv-audit/bin/activate
python -m pip install --upgrade pip
pip install pip-audit
- name: Run pip-audit (base lockfile export)
run: |
. .venv-audit/bin/activate
uv export --format requirements-txt --no-dev --no-emit-project --frozen -o /tmp/teaagent-base-requirements.txt
pip-audit -r /tmp/teaagent-base-requirements.txt
- name: Run pip-audit (dev lockfile visibility)
if: github.event_name == 'schedule'
run: |
. .venv-audit/bin/activate
uv export --format requirements-txt --no-emit-project --frozen -o /tmp/teaagent-dev-requirements.txt
pip-audit -r /tmp/teaagent-dev-requirements.txt
optional-extra-pip-audit:
name: optional-extra pip-audit (${{ matrix.extra }})
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
continue-on-error: true
permissions:
contents: read
strategy:
fail-fast: false
matrix:
extra:
- managed-google-adk
- managed-vertex
- playwright
- telemetry
- oauth
- wasm
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@v7
- name: Install audit tool in isolated environment
run: |
python -m venv .venv-audit
. .venv-audit/bin/activate
python -m pip install --upgrade pip
pip install pip-audit
- name: Run pip-audit (optional extra)
run: |
. .venv-audit/bin/activate
uv export --format requirements-txt --extra ${{ matrix.extra }} --no-dev --no-emit-project --frozen -o /tmp/teaagent-${{ matrix.extra }}-requirements.txt
pip-audit -r /tmp/teaagent-${{ matrix.extra }}-requirements.txt
bandit:
name: bandit SAST
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install bandit
run: pip install bandit
- name: Run bandit SAST scan
run: bandit -r teaagent/ -q -c pyproject.toml
codeql:
name: CodeQL (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
packages: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: python
build-mode: none
steps:
- uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"