Files
wehub-resource-sync 09e9f3545f
Test / Code Quality (push) Has been cancelled
Test / Test (macos-latest, Python 3.10) (push) Has been cancelled
Test / Test (macos-latest, Python 3.11) (push) Has been cancelled
Test / Test (macos-latest, Python 3.12) (push) Has been cancelled
Test / Test (macos-latest, Python 3.13) (push) Has been cancelled
Test / Test (macos-latest, Python 3.14) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.10) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.11) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.12) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.13) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.14) (push) Has been cancelled
Test / Test (windows-latest, Python 3.10) (push) Has been cancelled
Test / Test (windows-latest, Python 3.11) (push) Has been cancelled
Test / Test (windows-latest, Python 3.12) (push) Has been cancelled
Test / Test (windows-latest, Python 3.13) (push) Has been cancelled
Test / Test (windows-latest, Python 3.14) (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
dependency-audit / pip-audit (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:30:13 +08:00

69 lines
2.5 KiB
YAML

# Runs pip-audit against the locked environment so a CVE landing in a
# transitive dep surfaces in CI rather than at next user install. Any
# unresolved advisory fails the job (a hard merge gate on PRs, a red main
# build on push/schedule).
name: dependency-audit
on:
push:
branches: [main]
pull_request:
paths:
- "pyproject.toml"
- "uv.lock"
- ".github/workflows/dependency-audit.yml"
schedule:
# Nightly at 06:00 UTC so transitive CVEs surface even when no PR
# touches the manifest.
- cron: "0 6 * * *"
workflow_dispatch: {}
permissions:
contents: read
jobs:
pip-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
persist-credentials: false
- uses: astral-sh/setup-uv@v7
with:
enable-cache: true
- name: Sync locked env (browser + dev + markdown)
# Retried to ride out transient registry/network blips: a real
# lockfile problem fails all 3 attempts identically, so this only
# absorbs flakes — it never masks a genuine resolution error.
shell: bash
run: |
attempt=1; max=3
until uv sync --frozen --extra browser --extra dev --extra markdown; do
if [ "$attempt" -ge "$max" ]; then
echo "::error::uv sync failed after $max attempts" >&2
exit 1
fi
echo "::warning::uv sync attempt $attempt failed; retrying in $((attempt * 15))s" >&2
sleep $((attempt * 15))
attempt=$((attempt + 1))
done
- name: Install pip-audit into the locked env
# Pin pip-audit on the current major (2.x) so two consecutive nightly
# runs use the same advisory-DB query logic — without this, a silent
# bump to 3.x could change strictness without an accompanying PR.
run: uv pip install 'pip-audit>=2.7.0,<3'
- name: pip-audit (locked env)
# Hard merge gate: any unresolved advisory fails the job. If a
# transient advisory genuinely needs to be ignored, pin the fix in
# uv.lock or use pip-audit's --ignore-vuln for a tracked exception.
# Audit the exported lock graph instead of the installed environment so
# unreleased local package versions do not fail strict collection.
run: |
set -o pipefail
uv export --frozen --extra browser --extra dev --extra markdown --format requirements-txt --no-emit-project \
| uv run pip-audit --strict --require-hashes --disable-pip -r /dev/stdin