From bf9396a47d7237b7c67efefd82002cb768f0531c Mon Sep 17 00:00:00 2001
From: deacon-mp <61169193+deacon-mp@users.noreply.github.com>
Date: Mon, 18 May 2026 10:09:47 -0400
Subject: [PATCH] ci: add .safety-policy.yml and use --policy-file in tox
 safety env

safety 3.x CLI auto-looks for a .safety-policy.yml in cwd even when
ignores are passed inline. Without the file, `safety check` errors with
"Invalid value for '--policy-file': Policy file YAML is not valid /
No such file or directory: '.safety-policy.yml'".

Add an empty policy file and pass --policy-file explicitly to keep
CI runs deterministic. The existing 39642 / 39659 ignores stay on the
CLI so they remain visible in workflow output.

This unblocks the Security Checks workflow on master.
---
 .safety-policy.yml | 6 ++++++
 tox.ini            | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 .safety-policy.yml

diff --git a/.safety-policy.yml b/.safety-policy.yml
new file mode 100644
index 000000000..dcba87b21
--- /dev/null
+++ b/.safety-policy.yml
@@ -0,0 +1,6 @@
+# Safety policy file for `safety check`.
+# Required by safety 3.x — the CLI looks for this file in cwd even when
+# --ignore is passed inline. Ignores are kept on the tox command line
+# (see tox.ini [testenv:safety]) so they stay visible in CI output.
+security:
+    ignore-vulnerabilities: {}
diff --git a/tox.ini b/tox.ini
index 1962eec90..06d7cc727 100644
--- a/tox.ini
+++ b/tox.ini
@@ -62,8 +62,8 @@ deps =
 skip_install = true
 whitelist_externals=find
 commands =
-    safety check -r requirements.txt --ignore 39642 --ignore 39659
-    safety check -r requirements-dev.txt
+    safety check -r requirements.txt --policy-file .safety-policy.yml --ignore 39642 --ignore 39659
+    safety check -r requirements-dev.txt --policy-file .safety-policy.yml
 
 [testenv:bandit]
 deps =