diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index faa7b3018..543cabafa 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,20 +8,28 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - name: Pull package data - uses: actions/checkout@v4 - - - name: Setup Python - uses: actions/setup-python@v5 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 with: python-version: 3.12 - - - name: Setup up uv - run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh + - uses: astral-sh/setup-uv@v4 + - uses: snyk/actions/setup@master - name: Build package run: uv build + - name: Export requirements for Snyk + run: | + uv pip compile pyproject.toml -o requirements.txt + pip3 install -r requirements.txt + + - name: Snyk Scan + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor --command=python3 --skip-unresolved=true + - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@v1.4.1 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index b50128ee9..be18d055d 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -20,15 +20,10 @@ jobs: - "3.12" steps: - - name: Pull package data - uses: actions/checkout@v4 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + - uses: actions/checkout@v4 + - uses: astral-sh/setup-uv@v4 with: python-version: ${{ matrix.python-version }} - - name: Setup up uv - run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh - name: Install dependencies run: uv sync --all-extras --dev @@ -49,17 +44,27 @@ jobs: security_tests: runs-on: ubuntu-latest steps: - - name: Pull package data - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 with: python-version: "3.8" - - name: Setup up uv - run: curl -LsSf https://astral.sh/uv/0.4.5/install.sh | sh + - uses: astral-sh/setup-up@v4 + - name: Run pip-audit run: | uv export --format requirements-txt | uv tool run pip-audit + - name: Run Bandit code auditor run: uv tool run --with "bandit[toml,baseline,sarif]" bandit -c pyproject.toml -r . -ll + + - name: Export & Install requirements to run Snyk + run: | + uv pip compile pyproject.toml -o requirements.txt + pip3 install -r requirements.txt + + - name: Snyk Scan + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test --command=python3 --skip-unresolved=true