Merge pull request #365 from ContextualWisdomLab/codex/opencode-inlin… #1657
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-audit | |
| on: | |
| pull_request: | |
| branches: | |
| - develop | |
| - main | |
| push: | |
| branches: | |
| - develop | |
| - main | |
| permissions: | |
| contents: read | |
| env: | |
| GIT_CONFIG_COUNT: "1" | |
| GIT_CONFIG_KEY_0: init.defaultBranch | |
| GIT_CONFIG_VALUE_0: develop | |
| jobs: | |
| audit: | |
| name: security-audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22.22.3 | |
| cache: npm | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: "0.8.6" | |
| enable-cache: false | |
| - name: Install node dependencies | |
| run: npm ci | |
| - name: Audit npm dependencies | |
| run: npm audit --workspaces --audit-level=high | |
| - name: Sync Python dependencies | |
| run: uv sync --project services/analysis-engine --group dev --frozen | |
| - name: Audit Python dependencies | |
| run: uv run --project services/analysis-engine --with pip-audit==2.8.0 pip-audit --local --strict | |
| - name: Install stable Rust toolchain | |
| run: rustup toolchain install stable --profile minimal | |
| - name: Install cargo-audit | |
| run: cargo +stable install cargo-audit --locked | |
| - name: Audit Rust dependencies | |
| working-directory: apps/desktop/src-tauri | |
| run: cargo +stable audit |