From 5e0515858afe59cfa06b44a96082dc12a76f9462 Mon Sep 17 00:00:00 2001 From: Shamim Rehman Date: Thu, 7 May 2026 13:02:07 -0400 Subject: [PATCH] Add Forge Python dependency audit gate --- .github/workflows/ci.yml | 22 ++++++++++++++++++++++ tests/test_ci_workflow.py | 18 ++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 tests/test_ci_workflow.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef9159b..0261a2e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -29,3 +32,22 @@ jobs: - name: Test run: pytest tests/ -v + + dependency-security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install dependencies + run: | + python -m pip install --upgrade "pip>=26.1" + python -m pip install -e ".[dev]" + python -m pip install pip-audit + + - name: Run pip-audit + run: python -m pip_audit --progress-spinner off diff --git a/tests/test_ci_workflow.py b/tests/test_ci_workflow.py new file mode 100644 index 0000000..6faa938 --- /dev/null +++ b/tests/test_ci_workflow.py @@ -0,0 +1,18 @@ +from __future__ import annotations + +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[1] +CI_WORKFLOW = ROOT / ".github" / "workflows" / "ci.yml" + + +def test_ci_workflow_has_dependency_security_gate() -> None: + workflow = CI_WORKFLOW.read_text() + + assert "permissions:" in workflow + assert "contents: read" in workflow + assert "dependency-security:" in workflow + assert 'python -m pip install --upgrade "pip>=26.1"' in workflow + assert "python -m pip install pip-audit" in workflow + assert "python -m pip_audit --progress-spinner off" in workflow