# GitHub Actions: lint + unit tests + security scans. # Does not build or publish artifacts. Image scanning is done via # trivy fs on the project tree (covers deps, secrets, and Dockerfile # misconfig) so CI does not need a docker-in-docker setup. name: CI on: pull_request: push: branches: [main] release: types: [published] env: UV_LINK_MODE: copy # Version is git-derived (hatch-vcs). CI's clone is shallow/tagless, which # makes setuptools_scm raise, so pin a placeholder for the build -- CI only # lints/tests and never publishes. #169 SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0" jobs: lint: runs-on: ubuntu-latest container: image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim steps: - uses: actions/checkout@v7 - run: uv sync --frozen --all-extras - run: uv run ruff check app/ tests/ - run: uv run ruff format --check app/ tests/ - run: bash -n run.sh test: runs-on: ubuntu-latest container: image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim steps: - uses: actions/checkout@v7 - run: apt-get update && apt-get install -y --no-install-recommends ffmpeg - run: uv sync --frozen --all-extras - run: uv run pytest tests/ -q js-syntax: runs-on: ubuntu-latest container: image: node:20-alpine steps: - uses: actions/checkout@v7 - run: for f in static/js/*.js; do node --check "$f"; done sast-bandit: runs-on: ubuntu-latest container: image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim steps: - uses: actions/checkout@v7 - run: uv tool install bandit - run: uv tool run bandit -r app/ -ll # fail on medium+ severity deps-audit: runs-on: ubuntu-latest container: image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim steps: - uses: actions/checkout@v7 - run: uv tool install pip-audit - run: uv pip compile pyproject.toml -o /tmp/requirements.txt # Ignored CVEs (review when upgrading torch or demucs): # # torch 2.6.0 -- pinned to <2.7 because torchaudio 2.7+ removed its # built-in audio writer and now requires torchcodec, which has ABI # issues that break demucs 4.0.1's torchaudio.save() path. All torch # CVEs below are in ops that StemDeck does not invoke; risk on a # local-only, single-user app is negligible. Re-evaluate once demucs # supports torch 2.7+ without torchcodec. # # joblib PYSEC-2024-277 -- no fix version available as of 2026-05-21 # (1.5.3 is latest). joblib is a transitive dep via demucs/librosa; # StemDeck does not directly invoke joblib serialization. Drop once # a patched release is available. - run: | uv tool run pip-audit -r /tmp/requirements.txt --strict \ --ignore-vuln CVE-2025-2953 \ --ignore-vuln CVE-2025-3730 \ --ignore-vuln PYSEC-2025-189 \ --ignore-vuln PYSEC-2025-190 \ --ignore-vuln PYSEC-2025-192 \ --ignore-vuln PYSEC-2025-193 \ --ignore-vuln PYSEC-2025-194 \ --ignore-vuln PYSEC-2025-195 \ --ignore-vuln PYSEC-2025-196 \ --ignore-vuln PYSEC-2025-197 \ --ignore-vuln PYSEC-2025-198 \ --ignore-vuln PYSEC-2025-199 \ --ignore-vuln PYSEC-2025-200 \ --ignore-vuln PYSEC-2025-201 \ --ignore-vuln PYSEC-2025-202 \ --ignore-vuln PYSEC-2025-203 \ --ignore-vuln PYSEC-2025-204 \ --ignore-vuln PYSEC-2025-205 \ --ignore-vuln PYSEC-2025-206 \ --ignore-vuln PYSEC-2025-207 \ --ignore-vuln PYSEC-2025-208 \ --ignore-vuln PYSEC-2025-209 \ --ignore-vuln PYSEC-2025-210 \ --ignore-vuln PYSEC-2026-139 \ --ignore-vuln PYSEC-2024-277 \ --ignore-vuln CVE-2025-2148 \ --ignore-vuln CVE-2025-2149 \ --ignore-vuln CVE-2025-2998 \ --ignore-vuln CVE-2025-2999 \ --ignore-vuln CVE-2025-3000 \ --ignore-vuln CVE-2025-3001 trivy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v7 # Scans the source tree for: known CVEs in deps, leaked secrets, # and Dockerfile / compose misconfigurations. Skips .venv (it can # be left over from earlier steps in the shared workspace; trivy # would scan its bundled extractor files and flag false-positive # secrets that ship inside third-party packages like yt-dlp). - name: trivy fs uses: aquasecurity/trivy-action@master with: scan-type: fs scan-ref: . scanners: vuln,secret,misconfig severity: HIGH,CRITICAL exit-code: '1' ignore-unfixed: true trivyignores: .trivyignore skip-dirs: .venv,jobs # Dedicated Dockerfile + compose static analysis (Trivy's IaC linter). - name: trivy config uses: aquasecurity/trivy-action@master with: scan-type: config scan-ref: build/ severity: HIGH,CRITICAL exit-code: '1'