chore: import upstream snapshot with attribution
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
This commit is contained in:
@@ -0,0 +1,143 @@
|
||||
# GitHub Actions: lint + unit tests + security scans.
|
||||
# Does not build or publish artifacts. Image scanning is done via
|
||||
# trivy fs on the project tree (covers deps, secrets, and Dockerfile
|
||||
# misconfig) so CI does not need a docker-in-docker setup.
|
||||
|
||||
name: CI
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
branches: [main]
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
env:
|
||||
UV_LINK_MODE: copy
|
||||
# Version is git-derived (hatch-vcs). CI's clone is shallow/tagless, which
|
||||
# makes setuptools_scm raise, so pin a placeholder for the build -- CI only
|
||||
# lints/tests and never publishes. #169
|
||||
SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0"
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- run: uv sync --frozen --all-extras
|
||||
- run: uv run ruff check app/ tests/
|
||||
- run: uv run ruff format --check app/ tests/
|
||||
- run: bash -n run.sh
|
||||
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- run: apt-get update && apt-get install -y --no-install-recommends ffmpeg
|
||||
- run: uv sync --frozen --all-extras
|
||||
- run: uv run pytest tests/ -q
|
||||
|
||||
js-syntax:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: node:20-alpine
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- run: for f in static/js/*.js; do node --check "$f"; done
|
||||
|
||||
sast-bandit:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- run: uv tool install bandit
|
||||
- run: uv tool run bandit -r app/ -ll # fail on medium+ severity
|
||||
|
||||
deps-audit:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- run: uv tool install pip-audit
|
||||
- run: uv pip compile pyproject.toml -o /tmp/requirements.txt
|
||||
# Ignored CVEs (review when upgrading torch or demucs):
|
||||
#
|
||||
# torch 2.6.0 -- pinned to <2.7 because torchaudio 2.7+ removed its
|
||||
# built-in audio writer and now requires torchcodec, which has ABI
|
||||
# issues that break demucs 4.0.1's torchaudio.save() path. All torch
|
||||
# CVEs below are in ops that StemDeck does not invoke; risk on a
|
||||
# local-only, single-user app is negligible. Re-evaluate once demucs
|
||||
# supports torch 2.7+ without torchcodec.
|
||||
#
|
||||
# joblib PYSEC-2024-277 -- no fix version available as of 2026-05-21
|
||||
# (1.5.3 is latest). joblib is a transitive dep via demucs/librosa;
|
||||
# StemDeck does not directly invoke joblib serialization. Drop once
|
||||
# a patched release is available.
|
||||
- run: |
|
||||
uv tool run pip-audit -r /tmp/requirements.txt --strict \
|
||||
--ignore-vuln CVE-2025-2953 \
|
||||
--ignore-vuln CVE-2025-3730 \
|
||||
--ignore-vuln PYSEC-2025-189 \
|
||||
--ignore-vuln PYSEC-2025-190 \
|
||||
--ignore-vuln PYSEC-2025-192 \
|
||||
--ignore-vuln PYSEC-2025-193 \
|
||||
--ignore-vuln PYSEC-2025-194 \
|
||||
--ignore-vuln PYSEC-2025-195 \
|
||||
--ignore-vuln PYSEC-2025-196 \
|
||||
--ignore-vuln PYSEC-2025-197 \
|
||||
--ignore-vuln PYSEC-2025-198 \
|
||||
--ignore-vuln PYSEC-2025-199 \
|
||||
--ignore-vuln PYSEC-2025-200 \
|
||||
--ignore-vuln PYSEC-2025-201 \
|
||||
--ignore-vuln PYSEC-2025-202 \
|
||||
--ignore-vuln PYSEC-2025-203 \
|
||||
--ignore-vuln PYSEC-2025-204 \
|
||||
--ignore-vuln PYSEC-2025-205 \
|
||||
--ignore-vuln PYSEC-2025-206 \
|
||||
--ignore-vuln PYSEC-2025-207 \
|
||||
--ignore-vuln PYSEC-2025-208 \
|
||||
--ignore-vuln PYSEC-2025-209 \
|
||||
--ignore-vuln PYSEC-2025-210 \
|
||||
--ignore-vuln PYSEC-2026-139 \
|
||||
--ignore-vuln PYSEC-2024-277 \
|
||||
--ignore-vuln CVE-2025-2148 \
|
||||
--ignore-vuln CVE-2025-2149 \
|
||||
--ignore-vuln CVE-2025-2998 \
|
||||
--ignore-vuln CVE-2025-2999 \
|
||||
--ignore-vuln CVE-2025-3000 \
|
||||
--ignore-vuln CVE-2025-3001
|
||||
|
||||
trivy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
# Scans the source tree for: known CVEs in deps, leaked secrets,
|
||||
# and Dockerfile / compose misconfigurations. Skips .venv (it can
|
||||
# be left over from earlier steps in the shared workspace; trivy
|
||||
# would scan its bundled extractor files and flag false-positive
|
||||
# secrets that ship inside third-party packages like yt-dlp).
|
||||
- name: trivy fs
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: fs
|
||||
scan-ref: .
|
||||
scanners: vuln,secret,misconfig
|
||||
severity: HIGH,CRITICAL
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
trivyignores: .trivyignore
|
||||
skip-dirs: .venv,jobs
|
||||
# Dedicated Dockerfile + compose static analysis (Trivy's IaC linter).
|
||||
- name: trivy config
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: config
|
||||
scan-ref: build/
|
||||
severity: HIGH,CRITICAL
|
||||
exit-code: '1'
|
||||
Reference in New Issue
Block a user