refactor: Modernize SDK architecture, harden security, and enable O(1) routing #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: { branches: [main] } | |
| pull_request: | |
| schedule: [{ cron: "0 5 * * *" }] # Daily security sweep | |
| permissions: | |
| contents: read | |
| jobs: | |
| static-analysis: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| cache: 'pip' | |
| - run: pip install ruff bandit mypy pip-audit | |
| # Fast checks | |
| - run: ruff check . | |
| - run: bandit -c pyproject.toml -r mailjet_rest | |
| - run: mypy --strict mailjet_rest | |
| semgrep: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: >- | |
| p/python | |
| p/owasp-top-ten | |
| p/supply-chain | |
| p/command-injection | |
| p/insecure-transport | |
| error: true # Fails CI if issues found | |
| pip-audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: { python-version: "3.13" } | |
| - run: pip install pip-audit | |
| - run: pip-audit --strict | |
| osv-scan: | |
| permissions: | |
| actions: read | |
| security-events: write # For Security Tab | |
| contents: read | |
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.8" | |
| with: | |
| # Explicit root scanning | |
| scan-args: |- | |
| --recursive | |
| ./ |