jarvis / .github /workflows /security.yml
dependabot[bot]
deps(deps): bump github/codeql-action
4ced230 unverified
Raw
History Blame Contribute Delete
2.17 kB
name: Security
on:
push:
branches:
- main
pull_request:
schedule:
- cron: "15 4 * * 1"
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
concurrency:
group: security-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
codeql:
runs-on: ubuntu-latest
timeout-minutes: 45
strategy:
fail-fast: false
matrix:
language:
- python
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
- name: Analyze
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
category: "/language:${{ matrix.language }}"
pip-audit:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
- name: Sync dependencies
run: uv sync --extra dev
- name: Run pip-audit (informational)
continue-on-error: true
run: |
mkdir -p .artifacts/security
uv run --with pip-audit pip-audit --format json > .artifacts/security/pip-audit.json
- name: Upload pip-audit artifact
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: pip-audit-${{ github.run_id }}
path: .artifacts/security/pip-audit.json
if-no-files-found: warn