Address latest security workflow review

Author: PascalThuet

.github/workflows/security.yml

@@ -13,24 +13,29 @@ on:
 
 jobs:
   dependency-audit:
-    name: Dependency audit
-    runs-on: ubuntu-latest
+    name: Dependency audit (${{ matrix.os }}, Python ${{ matrix.python-version }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python-version: ["3.11", "3.12", "3.13"]
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
-      - name: Set up Python
+      - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: "3.13"
+          python-version: ${{ matrix.python-version }}
 
       - name: Run pip-audit
         run: |
-          uv pip compile pyproject.toml --extra test --quiet --output-file /tmp/spec-kit-audit-requirements.txt
-          uvx --from pip-audit==2.10.0 pip-audit -r /tmp/spec-kit-audit-requirements.txt --progress-spinner off
+          uv pip compile pyproject.toml --extra test --python-version "${{ matrix.python-version }}" --generate-hashes --quiet --output-file "${{ runner.temp }}/spec-kit-audit-requirements.txt"
+          uvx --from pip-audit==2.10.0 pip-audit --disable-pip --require-hashes -r "${{ runner.temp }}/spec-kit-audit-requirements.txt" --progress-spinner off
 
   static-analysis:
     name: Static analysis

CONTRIBUTING.md

@@ -84,12 +84,12 @@ Run this when you change agent metadata, context update scripts, or integration
 #### Security checks
 
 ```bash
-uv pip compile pyproject.toml --extra test --quiet --output-file /tmp/spec-kit-audit-requirements.txt
-uvx --from pip-audit==2.10.0 pip-audit -r /tmp/spec-kit-audit-requirements.txt --progress-spinner off
+uv pip compile pyproject.toml --extra test --generate-hashes --quiet --output-file spec-kit-audit-requirements.txt
+uvx --from pip-audit==2.10.0 pip-audit --disable-pip --require-hashes -r spec-kit-audit-requirements.txt --progress-spinner off
 uvx --from bandit==1.9.4 bandit -r src -lll --baseline .github/bandit-baseline.json
 ```
 
-Run these before changing dependency metadata, workflow execution code, subprocess usage, or security-sensitive paths. The dependency audit resolves the runtime and `test` extra dependency set used by CI and contributors.
+Run these before changing dependency metadata, workflow execution code, subprocess usage, or security-sensitive paths. The dependency audit resolves the runtime and `test` extra dependency set used by CI and contributors. CI runs the dependency audit across the supported Python and OS matrix; locally, run these commands from the environment you want to reproduce.
 
 ### Manual testing
 

tests/test_security_workflow.py

@@ -15,14 +15,24 @@
 CONTRIBUTING = REPO_ROOT / "CONTRIBUTING.md"
 BANDIT_BASELINE = REPO_ROOT / ".github" / "bandit-baseline.json"
 
-AUDIT_REQUIREMENTS = "/tmp/spec-kit-audit-requirements.txt"
-COMPILE_TEST_EXTRA_DEPS = (
-    "uv pip compile pyproject.toml --extra test --quiet "
-    f"--output-file {AUDIT_REQUIREMENTS}"
+WORKFLOW_AUDIT_REQUIREMENTS = '"${{ runner.temp }}/spec-kit-audit-requirements.txt"'
+LOCAL_AUDIT_REQUIREMENTS = "spec-kit-audit-requirements.txt"
+WORKFLOW_COMPILE_TEST_EXTRA_DEPS = (
+    "uv pip compile pyproject.toml --extra test "
+    '--python-version "${{ matrix.python-version }}" --generate-hashes --quiet '
+    f"--output-file {WORKFLOW_AUDIT_REQUIREMENTS}"
 )
-PIP_AUDIT = (
-    "uvx --from pip-audit==2.10.0 pip-audit "
-    f"-r {AUDIT_REQUIREMENTS} --progress-spinner off"
+LOCAL_COMPILE_TEST_EXTRA_DEPS = (
+    "uv pip compile pyproject.toml --extra test --generate-hashes --quiet "
+    f"--output-file {LOCAL_AUDIT_REQUIREMENTS}"
+)
+WORKFLOW_PIP_AUDIT = (
+    "uvx --from pip-audit==2.10.0 pip-audit --disable-pip --require-hashes "
+    f"-r {WORKFLOW_AUDIT_REQUIREMENTS} --progress-spinner off"
+)
+LOCAL_PIP_AUDIT = (
+    "uvx --from pip-audit==2.10.0 pip-audit --disable-pip --require-hashes "
+    f"-r {LOCAL_AUDIT_REQUIREMENTS} --progress-spinner off"
 )
 BANDIT = (
     "uvx --from bandit==1.9.4 bandit -r src -lll "
@@ -45,25 +55,52 @@ def _step_run(job_name: str, step_name: str) -> str:
 class TestSecurityWorkflow:
     """Guard the security workflow against review-feedback regressions."""
 
-    def test_dependency_audit_compiles_test_extra_requirements_without_lockfile(self):
+    def test_dependency_audit_compiles_test_extra_requirements(self):
         run = _step_run("dependency-audit", "Run pip-audit")
 
-        assert COMPILE_TEST_EXTRA_DEPS in run
-        assert PIP_AUDIT in run
+        assert WORKFLOW_COMPILE_TEST_EXTRA_DEPS in run
+        assert WORKFLOW_PIP_AUDIT in run
+        assert "--generate-hashes" in run
+        assert "--require-hashes" in run
+        assert "--disable-pip" in run
+        assert "${{ runner.temp }}" in run
         assert "uv export" not in run
         assert "--frozen" not in run
         assert "--locked" not in run
         assert "uv.lock" not in run
+        assert "/tmp/" not in run
         assert "uvx pip-audit ." not in run
 
+    def test_dependency_audit_runs_supported_python_os_matrix(self):
+        workflow = _load_security_workflow()
+        matrix = workflow["jobs"]["dependency-audit"]["strategy"]["matrix"]
+
+        assert matrix["os"] == ["ubuntu-latest", "windows-latest"]
+        assert matrix["python-version"] == ["3.11", "3.12", "3.13"]
+        assert workflow["jobs"]["dependency-audit"]["runs-on"] == "${{ matrix.os }}"
+
     def test_security_tools_are_pinned(self):
         workflow_text = SECURITY_WORKFLOW.read_text(encoding="utf-8")
 
-        assert PIP_AUDIT in workflow_text
+        assert WORKFLOW_PIP_AUDIT in workflow_text
         assert BANDIT in workflow_text
         assert re.search(r"\buvx\s+pip-audit\b", workflow_text) is None
         assert re.search(r"\buvx\s+bandit\b", workflow_text) is None
 
+    def test_actions_are_pinned_to_full_commit_shas(self):
+        workflow = _load_security_workflow()
+        uses_refs = [
+            step["uses"]
+            for job in workflow["jobs"].values()
+            for step in job["steps"]
+            if "uses" in step
+        ]
+
+        assert uses_refs
+        for uses_ref in uses_refs:
+            assert re.search(r"@[0-9a-f]{40}$", uses_ref), uses_ref
+            assert re.search(r"@v\d+", uses_ref) is None
+
     def test_bandit_does_not_globally_skip_b602(self):
         run = _step_run("static-analysis", "Run Bandit")
         workflow_text = SECURITY_WORKFLOW.read_text(encoding="utf-8")
@@ -84,13 +121,17 @@ def test_bandit_baseline_only_ignores_shell_step_b602(self):
             == "src/specify_cli/workflows/steps/shell/__init__.py"
         )
 
-    def test_b602_is_not_suppressed_in_source(self):
-        source_text = "\n".join(
-            path.read_text(encoding="utf-8")
-            for path in (REPO_ROOT / "src").rglob("*.py")
-        )
+    def test_bandit_nosec_is_not_suppressed_in_source(self):
+        nosec_lines = []
+        for path in (REPO_ROOT / "src").rglob("*.py"):
+            for line_number, line in enumerate(
+                path.read_text(encoding="utf-8").splitlines(),
+                start=1,
+            ):
+                if re.search(r"#\s*nosec\b", line, flags=re.IGNORECASE):
+                    nosec_lines.append(f"{path.relative_to(REPO_ROOT)}:{line_number}")
 
-        assert "# nosec B602" not in source_text
+        assert nosec_lines == []
 
     def test_run_command_rejects_shell_true(self):
         from specify_cli import run_command
@@ -101,9 +142,10 @@ def test_run_command_rejects_shell_true(self):
     def test_contributing_documents_security_commands(self):
         contributing_text = CONTRIBUTING.read_text(encoding="utf-8")
 
-        assert COMPILE_TEST_EXTRA_DEPS in contributing_text
-        assert PIP_AUDIT in contributing_text
+        assert LOCAL_COMPILE_TEST_EXTRA_DEPS in contributing_text
+        assert LOCAL_PIP_AUDIT in contributing_text
         assert BANDIT in contributing_text
+        assert "/tmp/" not in contributing_text
         assert "uv export" not in contributing_text
         assert "--frozen" not in contributing_text
         assert "--locked" not in contributing_text