8f10353f0c
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
144 lines
5.1 KiB
YAML
144 lines
5.1 KiB
YAML
# GitHub Actions: lint + unit tests + security scans.
|
|
# Does not build or publish artifacts. Image scanning is done via
|
|
# trivy fs on the project tree (covers deps, secrets, and Dockerfile
|
|
# misconfig) so CI does not need a docker-in-docker setup.
|
|
|
|
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches: [main]
|
|
release:
|
|
types: [published]
|
|
|
|
env:
|
|
UV_LINK_MODE: copy
|
|
# Version is git-derived (hatch-vcs). CI's clone is shallow/tagless, which
|
|
# makes setuptools_scm raise, so pin a placeholder for the build -- CI only
|
|
# lints/tests and never publishes. #169
|
|
SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0"
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
- run: uv sync --frozen --all-extras
|
|
- run: uv run ruff check app/ tests/
|
|
- run: uv run ruff format --check app/ tests/
|
|
- run: bash -n run.sh
|
|
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
- run: apt-get update && apt-get install -y --no-install-recommends ffmpeg
|
|
- run: uv sync --frozen --all-extras
|
|
- run: uv run pytest tests/ -q
|
|
|
|
js-syntax:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: node:20-alpine
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
- run: for f in static/js/*.js; do node --check "$f"; done
|
|
|
|
sast-bandit:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
- run: uv tool install bandit
|
|
- run: uv tool run bandit -r app/ -ll # fail on medium+ severity
|
|
|
|
deps-audit:
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
- run: uv tool install pip-audit
|
|
- run: uv pip compile pyproject.toml -o /tmp/requirements.txt
|
|
# Ignored CVEs (review when upgrading torch or demucs):
|
|
#
|
|
# torch 2.6.0 -- pinned to <2.7 because torchaudio 2.7+ removed its
|
|
# built-in audio writer and now requires torchcodec, which has ABI
|
|
# issues that break demucs 4.0.1's torchaudio.save() path. All torch
|
|
# CVEs below are in ops that StemDeck does not invoke; risk on a
|
|
# local-only, single-user app is negligible. Re-evaluate once demucs
|
|
# supports torch 2.7+ without torchcodec.
|
|
#
|
|
# joblib PYSEC-2024-277 -- no fix version available as of 2026-05-21
|
|
# (1.5.3 is latest). joblib is a transitive dep via demucs/librosa;
|
|
# StemDeck does not directly invoke joblib serialization. Drop once
|
|
# a patched release is available.
|
|
- run: |
|
|
uv tool run pip-audit -r /tmp/requirements.txt --strict \
|
|
--ignore-vuln CVE-2025-2953 \
|
|
--ignore-vuln CVE-2025-3730 \
|
|
--ignore-vuln PYSEC-2025-189 \
|
|
--ignore-vuln PYSEC-2025-190 \
|
|
--ignore-vuln PYSEC-2025-192 \
|
|
--ignore-vuln PYSEC-2025-193 \
|
|
--ignore-vuln PYSEC-2025-194 \
|
|
--ignore-vuln PYSEC-2025-195 \
|
|
--ignore-vuln PYSEC-2025-196 \
|
|
--ignore-vuln PYSEC-2025-197 \
|
|
--ignore-vuln PYSEC-2025-198 \
|
|
--ignore-vuln PYSEC-2025-199 \
|
|
--ignore-vuln PYSEC-2025-200 \
|
|
--ignore-vuln PYSEC-2025-201 \
|
|
--ignore-vuln PYSEC-2025-202 \
|
|
--ignore-vuln PYSEC-2025-203 \
|
|
--ignore-vuln PYSEC-2025-204 \
|
|
--ignore-vuln PYSEC-2025-205 \
|
|
--ignore-vuln PYSEC-2025-206 \
|
|
--ignore-vuln PYSEC-2025-207 \
|
|
--ignore-vuln PYSEC-2025-208 \
|
|
--ignore-vuln PYSEC-2025-209 \
|
|
--ignore-vuln PYSEC-2025-210 \
|
|
--ignore-vuln PYSEC-2026-139 \
|
|
--ignore-vuln PYSEC-2024-277 \
|
|
--ignore-vuln CVE-2025-2148 \
|
|
--ignore-vuln CVE-2025-2149 \
|
|
--ignore-vuln CVE-2025-2998 \
|
|
--ignore-vuln CVE-2025-2999 \
|
|
--ignore-vuln CVE-2025-3000 \
|
|
--ignore-vuln CVE-2025-3001
|
|
|
|
trivy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
# Scans the source tree for: known CVEs in deps, leaked secrets,
|
|
# and Dockerfile / compose misconfigurations. Skips .venv (it can
|
|
# be left over from earlier steps in the shared workspace; trivy
|
|
# would scan its bundled extractor files and flag false-positive
|
|
# secrets that ship inside third-party packages like yt-dlp).
|
|
- name: trivy fs
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
scanners: vuln,secret,misconfig
|
|
severity: HIGH,CRITICAL
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
trivyignores: .trivyignore
|
|
skip-dirs: .venv,jobs
|
|
# Dedicated Dockerfile + compose static analysis (Trivy's IaC linter).
|
|
- name: trivy config
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: config
|
|
scan-ref: build/
|
|
severity: HIGH,CRITICAL
|
|
exit-code: '1'
|