Add Forge Python dependency audit gate

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -29,3 +32,22 @@ jobs:
 
       - name: Test
         run: pytest tests/ -v
+
+  dependency-security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade "pip>=26.1"
+          python -m pip install -e ".[dev]"
+          python -m pip install pip-audit
+
+      - name: Run pip-audit
+        run: python -m pip_audit --progress-spinner off

tests/test_ci_workflow.py

@@ -0,0 +1,18 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+CI_WORKFLOW = ROOT / ".github" / "workflows" / "ci.yml"
+
+
+def test_ci_workflow_has_dependency_security_gate() -> None:
+    workflow = CI_WORKFLOW.read_text()
+
+    assert "permissions:" in workflow
+    assert "contents: read" in workflow
+    assert "dependency-security:" in workflow
+    assert 'python -m pip install --upgrade "pip>=26.1"' in workflow
+    assert "python -m pip install pip-audit" in workflow
+    assert "python -m pip_audit --progress-spinner off" in workflow