pip-audit #8
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pip-audit | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 12 * * 1" | |
| jobs: | |
| pip-audit: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] | |
| name: pip-audit python ${{ matrix.python-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'pip' | |
| cache-dependency-path: | | |
| requirements.txt | |
| architecture: x64 | |
| - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' | |
| run: | | |
| python -mvenv /tmp/PIPAUDIT | |
| source /tmp/PIPAUDIT/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install pip-audit | |
| # - name: 'Freeze Python ${{ matrix.python-version }} constraints' | |
| # run: | | |
| # pip freeze > constraints-${{ matrix.python-version }}.txt | |
| - id: gen-cve-output | |
| run: | | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md | |
| refreeze=$? | |
| set -e | |
| if [ "$refreeze" != 0 ] ; then | |
| deactivate | |
| python -mvenv /tmp/PIPFREEZE | |
| source /tmp/PIPFREEZE/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install -r requirements.txt | |
| pip freeze > constraints-${{ matrix.python-version }}.txt | |
| # Re-audit the populated environment | |
| deactivate | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md | |
| auditres=$? | |
| set -e | |
| if [ "$auditres" = 0 ] ; then | |
| (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| # Time to emit the report | |
| (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| fi | |
| - uses: actions/upload-artifact@v3 | |
| with: | |
| retention-days: 2 | |
| path: constraints-${{ matrix.python-version }}.txt | |
| pip-audit-22_04: | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| python-version: [ "3.7" ] | |
| name: pip-audit python ${{ matrix.python-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'pip' | |
| cache-dependency-path: | | |
| requirements.txt | |
| architecture: x64 | |
| - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' | |
| run: | | |
| python -mvenv /tmp/PIPAUDIT | |
| source /tmp/PIPAUDIT/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install pip-audit | |
| # - name: 'Freeze Python ${{ matrix.python-version }} constraints' | |
| # run: | | |
| # pip freeze > constraints-${{ matrix.python-version }}.txt | |
| - id: gen-cve-output | |
| run: | | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md | |
| refreeze=$? | |
| set -e | |
| if [ "$refreeze" != 0 ] ; then | |
| deactivate | |
| python -mvenv /tmp/PIPFREEZE | |
| source /tmp/PIPFREEZE/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install -r requirements.txt | |
| pip freeze > constraints-${{ matrix.python-version }}.txt | |
| # Re-audit the populated environment | |
| deactivate | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md | |
| auditres=$? | |
| set -e | |
| if [ "$auditres" = 0 ] ; then | |
| (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| # Time to emit the report | |
| (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| fi | |
| - uses: actions/upload-artifact@v3 | |
| with: | |
| retention-days: 2 | |
| path: constraints-${{ matrix.python-version }}.txt | |
| pull_request_changes: | |
| # Do this only when it is not a pull request validation | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| name: Pull request with the newly generated contents | |
| needs: | |
| - pip-audit | |
| - pip-audit-22_04 | |
| steps: | |
| - name: Get analysis timestamp | |
| id: timestamp | |
| run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/checkout@v3 | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| path: changes-dir | |
| - name: Move artifacts to their right place | |
| run: | | |
| cp -dpr changes-dir/artifact/* . | |
| rm -r changes-dir/artifact | |
| - name: Create Pull Request | |
| id: cpr | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) | |
| branch: create-pull-request/patch-audit-constraints | |
| delete-branch: true | |
| commit-message: "[create-pull-request] Automatically propose updated constraints" | |
| - name: Check outputs | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: | | |
| echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
| echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" |