Skip to content

Merge pull request #1 from subdepthtech/dependabot/github_actions/git… #8

Merge pull request #1 from subdepthtech/dependabot/github_actions/git…

Merge pull request #1 from subdepthtech/dependabot/github_actions/git… #8

Workflow file for this run

name: security
on:
pull_request:
push:
branches:
- main
- master
schedule:
- cron: "27 9 * * 1"
permissions:
contents: read
security-events: write
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codeql:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: python
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
dependency-audit:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- name: Run pip-audit
run: |
python -m pip install pip-audit==2.10.1
pip-audit --requirement requirements.txt
container-scan:
runs-on: ubuntu-latest
timeout-minutes: 25
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Prepare throwaway local config
run: |
cp .env.example .env
mkdir -p data/secrets data/codex-home data/codex-work
python - <<'PY'
import pathlib
import secrets
pathlib.Path("data/secrets/proxy_api_key").write_text(secrets.token_urlsafe(48) + "\n", encoding="utf-8")
PY
chmod 600 .env
chmod 644 data/secrets/proxy_api_key
chmod 700 data/secrets data/codex-home data/codex-work
- name: Build local image
run: docker compose build
- name: Trivy image scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: codex-cli-provider:local
format: table
severity: CRITICAL,HIGH
exit-code: "1"
ignore-unfixed: true