1.7.0-3 Bugfixes #149
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pip-audit | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| schedule: | |
| # Weekly, Tue 03:23 UTC (~Europe/Berlin early morning) | |
| - cron: '23 3 * * 2' | |
| concurrency: | |
| group: pip-audit-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| # 1) On PRs: report-only (green) + warnings; no code changes. | |
| audit-pr: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: latest | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| - name: Install pip-audit tooling | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install pip-audit | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| # Install poetry export plugin (not included by default in Poetry 1.5+) | |
| poetry self add poetry-plugin-export | |
| - name: Export requirements from Poetry | |
| run: | | |
| poetry export -f requirements.txt --without-hashes -o poetry-requirements.txt --with dev,test | |
| - name: Audit requirements (report-only; keep CI green) | |
| run: | | |
| set -euo pipefail | |
| summary_tmp="$(mktemp)" | |
| echo "### pip-audit (report-only)" > "$summary_tmp" | |
| # Audit Poetry-managed dependencies | |
| set +e | |
| pip-audit -r poetry-requirements.txt -f json -o audit.json | |
| status=$? | |
| set -e | |
| if [ "$status" -gt 1 ]; then | |
| echo "pip-audit failed with exit code $status" >&2 | |
| exit "$status" | |
| fi | |
| fixable=$(jq '[.dependencies[].vulns[] | select((.fix_versions|length)>0)] | length' audit.json) | |
| unfixable=$(jq '[.dependencies[].vulns[] | select((.fix_versions|length)==0)] | length' audit.json) | |
| printf " - Poetry dependencies: fixable=%s, unfixable=%s\n" "$fixable" "$unfixable" >> "$summary_tmp" | |
| if [ "$unfixable" -gt 0 ]; then | |
| echo "::warning title=pip-audit (no fix available)::${unfixable} vulnerability/vulnerabilities without a fix." | |
| fi | |
| if [ "$fixable" -gt 0 ]; then | |
| echo "::notice title=pip-audit (fix available)::${fixable} vulnerability/vulnerabilities have fixes. They will be auto-fixed by the scheduled job." | |
| fi | |
| cat "$summary_tmp" >> "$GITHUB_STEP_SUMMARY" | |
| rm "$summary_tmp" | |
| # 2) On schedule or manual runs: autofix by updating Poetry dependencies. | |
| autofix: | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false # use GITHUB_TOKEN via the PR action | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: latest | |
| virtualenvs-create: true | |
| virtualenvs-in-project: true | |
| - name: Install tools | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install pip-audit | |
| sudo apt-get update | |
| sudo apt-get install -y jq | |
| # Install poetry export plugin (not included by default in Poetry 1.5+) | |
| poetry self add poetry-plugin-export | |
| - name: Audit and update Poetry dependencies | |
| id: fixrun | |
| run: | | |
| set -euo pipefail | |
| changed=0 | |
| echo "### pip-audit auto-fix report" > "$GITHUB_STEP_SUMMARY" | |
| # Export current requirements | |
| poetry export -f requirements.txt --without-hashes -o poetry-requirements.txt --with dev,test | |
| # Audit | |
| set +e | |
| pip-audit -r poetry-requirements.txt -f json -o audit.json | |
| status=$? | |
| set -e | |
| if [ "$status" -gt 1 ]; then | |
| echo "pip-audit failed with exit code $status" >&2 | |
| exit "$status" | |
| fi | |
| fixable=$(jq '[.dependencies[].vulns[] | select((.fix_versions|length)>0)] | length' audit.json) | |
| unfixable=$(jq '[.dependencies[].vulns[] | select((.fix_versions|length)==0)] | length' audit.json) | |
| if [ "$fixable" -gt 0 ]; then | |
| echo "Found ${fixable} fixable vulnerabilities, updating Poetry dependencies..." | |
| # Update all dependencies to get security fixes | |
| poetry update --lock | |
| if ! git diff --quiet -- pyproject.toml poetry.lock; then | |
| changed=1 | |
| fi | |
| fi | |
| { | |
| echo "- Poetry dependencies: fixable=${fixable}, unfixable=${unfixable}" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| echo "changed=$changed" >> "$GITHUB_OUTPUT" | |
| - name: Create pull request with fixes | |
| if: steps.fixrun.outputs.changed == '1' | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| branch: security/pip-audit-autofix | |
| delete-branch: true | |
| commit-message: "pip-audit: apply available security updates" | |
| title: "pip-audit: automatic security updates" | |
| body: | | |
| This PR was created automatically by `pip-audit`. It upgrades vulnerable dependencies where fixes exist by updating `pyproject.toml` and `poetry.lock`. Vulnerabilities with no available fix remain and are reported in the job summary. | |
| labels: security, dependencies, automated-pr |