pip-audit #14
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pip-audit | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 12 * * 1" | |
| jobs: | |
| pip-audit: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ] | |
| name: pip-audit python ${{ matrix.python-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'pip' | |
| cache-dependency-path: | | |
| requirements.txt | |
| architecture: x64 | |
| - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' | |
| run: | | |
| python -mvenv /tmp/PIPAUDIT | |
| source /tmp/PIPAUDIT/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install pip-audit | |
| # - name: 'Freeze Python ${{ matrix.python-version }} constraints' | |
| # run: | | |
| # pip freeze > constraints-${{ matrix.python-version }}.txt | |
| - id: gen-cve-output | |
| run: | | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md | |
| refreeze=$? | |
| set -e | |
| if [ "$refreeze" != 0 ] ; then | |
| deactivate | |
| python -mvenv /tmp/PIPFREEZE | |
| source /tmp/PIPFREEZE/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install -r requirements.txt | |
| pip freeze > constraints-${{ matrix.python-version }}.txt | |
| # Re-audit the populated environment | |
| deactivate | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md | |
| auditres=$? | |
| set -e | |
| if [ "$auditres" = 0 ] ; then | |
| echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md | |
| cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md | |
| else | |
| # Time to emit the report | |
| echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md | |
| cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md | |
| fi | |
| cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: audit-${{ matrix.python-version }} | |
| retention-days: 2 | |
| path: | | |
| constraints-${{ matrix.python-version }}.txt | |
| audit-report-${{ matrix.python-version }}.md | |
| pip-audit-22_04: | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| matrix: | |
| python-version: [ "3.7" ] | |
| name: pip-audit python ${{ matrix.python-version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'pip' | |
| cache-dependency-path: | | |
| requirements.txt | |
| architecture: x64 | |
| - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})' | |
| run: | | |
| python -mvenv /tmp/PIPAUDIT | |
| source /tmp/PIPAUDIT/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install pip-audit | |
| # - name: 'Freeze Python ${{ matrix.python-version }} constraints' | |
| # run: | | |
| # pip freeze > constraints-${{ matrix.python-version }}.txt | |
| - id: gen-cve-output | |
| run: | | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md | |
| refreeze=$? | |
| set -e | |
| if [ "$refreeze" != 0 ] ; then | |
| deactivate | |
| python -mvenv /tmp/PIPFREEZE | |
| source /tmp/PIPFREEZE/bin/activate | |
| pip install --upgrade pip wheel | |
| pip install -r requirements.txt | |
| pip freeze > constraints-${{ matrix.python-version }}.txt | |
| # Re-audit the populated environment | |
| deactivate | |
| source /tmp/PIPAUDIT/bin/activate | |
| set +e | |
| pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md | |
| auditres=$? | |
| set -e | |
| if [ "$auditres" = 0 ] ; then | |
| echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md | |
| cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md | |
| else | |
| # Time to emit the report | |
| echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md | |
| cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md | |
| fi | |
| cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: audit-${{ matrix.python-version }} | |
| retention-days: 2 | |
| path: | | |
| constraints-${{ matrix.python-version }}.txt | |
| audit-report-${{ matrix.python-version }}.md | |
| pull_request_changes: | |
| # Do this only when it is not a pull request validation | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| name: Pull request with the newly generated contents | |
| needs: | |
| - pip-audit | |
| - pip-audit-22_04 | |
| steps: | |
| - name: Get analysis timestamp | |
| id: timestamp | |
| run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| id: download | |
| with: | |
| pattern: audit-* | |
| merge-multiple: true | |
| path: changes-dir | |
| - name: Move artifacts to their right place | |
| id: move | |
| run: | | |
| skip=true | |
| if [ -d "${{steps.download.outputs.download-path}}" ] ; then | |
| for con in "${{steps.download.outputs.download-path}}"/constraints-*.txt ; do | |
| case "$con" in | |
| */constraints-\*.txt) | |
| break | |
| ;; | |
| *) | |
| cp -p "$con" . | |
| skip=false | |
| ;; | |
| esac | |
| done | |
| for aud in "${{steps.download.outputs.download-path}}"/audit-report*.md ; do | |
| case "$aud" in | |
| */audit-report-\*.md) | |
| break | |
| ;; | |
| *) | |
| cat "$aud" >> pull-body.md | |
| ;; | |
| esac | |
| done | |
| fi | |
| ls -l | |
| echo "skip=$skip" >> "$GITHUB_OUTPUT" | |
| - name: Create Pull Request | |
| id: cpr | |
| uses: peter-evans/create-pull-request@v7 | |
| if: steps.move.outputs.skip == 'false' | |
| with: | |
| title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }}) | |
| branch: create-pull-request/patch-audit-constraints | |
| add-paths: constraints-*.txt | |
| delete-branch: true | |
| commit-message: "[create-pull-request] Automatically updated constraints due security reasons" | |
| body-path: pull-body.md | |
| - name: Check outputs | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: | | |
| echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" >> "$GITHUB_STEP_SUMMARY" | |
| echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> "$GITHUB_STEP_SUMMARY" |