boost-data-collector/.github/workflows/security-audit.yml at develop · cppalliance/boost-data-collector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Security audit

# Runs on every pull request (no paths-ignore) so dependency scans are not
# skipped when the main CI workflow is skipped for docs-only changes.

on:
  pull_request:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  pip-audit:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

      - name: Install uv
        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
        with:
          python-version: "3.13"

      - name: Cache uv
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: ~/.cache/uv
          key: ${{ runner.os }}-uv-pip-audit-${{ hashFiles('requirements.lock', 'requirements-dev.lock') }}
          restore-keys: |
            ${{ runner.os }}-uv-pip-audit-
            ${{ runner.os }}-uv-

      - name: Dependency audit (pip-audit)
        run: |
          uv venv
          uv pip install "pip-audit>=2.10,<3"
          uv run pip-audit --desc on -r requirements.lock -r requirements-dev.lock