feat(ci): use a Github Repository Variable DISABLE_PIP_AUDIT to control running pip-audit in CI (#551)

Author: jenstroeger

.github/workflows/_build.yaml

@@ -22,6 +22,11 @@
 name: Build the package
 on:
   workflow_call:
+    inputs:
+      disable_pip_audit:
+        required: true
+        type: boolean
+        description: Enable or disable running pip_audit to check installed packages for vulnerabilities
     outputs:
       artifacts-sha256:
         description: The hash of the artifacts
@@ -73,8 +78,10 @@ jobs:
     - name: Install dependencies
       run: make setup
 
-    # Audit all currently installed packages for security vulnerabilities.
+    # Audit all currently installed packages for security vulnerabilities. This step can
+    # be disabled by setting the repository variable DISABLE_PIP_AUDIT to 'true'.
     - name: Audit installed packages
+      if: ${{ !inputs.disable_pip_audit }}
       run: make audit
 
     # Build the sdist and wheel distribution of the package and docs as a zip file.

.github/workflows/pr-change-set.yaml

@@ -18,3 +18,5 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}

.github/workflows/release.yaml

@@ -23,6 +23,8 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
 
   # On pushes to the 'main' branch create a new release by bumping the version
   # and generating a change log. That's the new bump commit and associated tag.
@@ -79,6 +81,8 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
 
   # Create a new Release on Github from the verified build artifacts, and optionally
   # publish the artifacts to a PyPI server.

README.md

@@ -60,7 +60,7 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/
 
 [OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0–10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at [OpenSSF](https://metrics.openssf.org/). We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked.
 
-[pip-audit](https://github.com/pypa/pip-audit) is part of the default Python virtual environment, and can be used to check all installed packages for documented [CVE](https://www.cve.org/) by querying the [Python Packaging Advisory Database](https://github.com/pypa/advisory-database). The `build.yaml` workflow always runs a package audit before the artifacts are being built.
+[pip-audit](https://github.com/pypa/pip-audit) is part of the default Python virtual environment, and can be used to check all installed packages for documented [CVE](https://www.cve.org/) by querying the [Python Packaging Advisory Database](https://github.com/pypa/advisory-database). The `_build.yaml` workflow always runs a package audit before the artifacts are being built. In automated production environments it _may_, on rare occasions, be necessary to suspend package auditing in which case  you can [add a repository variable](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository) `DISABLE_PIP_AUDIT` with value `true` to your repository to explicitly disable running pip-audit.
 
 ### Package or application?