name: Security on: push: branches: - main pull_request: schedule: - cron: "15 4 * * 1" workflow_dispatch: permissions: actions: read contents: read security-events: write concurrency: group: security-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: codeql: runs-on: ubuntu-latest timeout-minutes: 45 strategy: fail-fast: false matrix: language: - python steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: languages: ${{ matrix.language }} - name: Autobuild uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 - name: Analyze uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: category: "/language:${{ matrix.language }}" pip-audit: runs-on: ubuntu-latest timeout-minutes: 20 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" - name: Install uv uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 - name: Sync dependencies run: uv sync --extra dev - name: Run pip-audit (informational) continue-on-error: true run: | mkdir -p .artifacts/security uv run --with pip-audit pip-audit --format json > .artifacts/security/pip-audit.json - name: Upload pip-audit artifact if: always() uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: pip-audit-${{ github.run_id }} path: .artifacts/security/pip-audit.json if-no-files-found: warn