Skip to content

Bump anyio from 4.14.0 to 4.14.1 #24

Bump anyio from 4.14.0 to 4.14.1

Bump anyio from 4.14.0 to 4.14.1 #24

Workflow file for this run

name: security
on:
pull_request:
push:
branches:
- main
- master
schedule:
- cron: "27 9 * * 1"
permissions:
contents: read
security-events: write
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
codeql:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: python
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
dependency-audit:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- name: Run pip-audit
run: |
python -m pip install pip-audit==2.10.1
pip-audit --requirement requirements.txt
container-scan:
runs-on: ubuntu-latest
timeout-minutes: 25
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Prepare throwaway local config
run: |
cp .env.example .env
mkdir -p data/secrets data/codex-home data/codex-work
python - <<'PY'
import pathlib
import secrets
pathlib.Path("data/secrets/proxy_api_key").write_text(secrets.token_urlsafe(48) + "\n", encoding="utf-8")
PY
chmod 600 .env
chmod 644 data/secrets/proxy_api_key
chmod 700 data/secrets data/codex-home data/codex-work
- name: Build local image
run: docker compose build
- name: Trivy image scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: codex-cli-provider:local
format: table
severity: CRITICAL,HIGH
exit-code: "1"
ignore-unfixed: true