ci: add dependency audit workflow#3138
Open
PascalThuet wants to merge 2 commits into
Open
Conversation
Add a Security Audit workflow with a dependency-audit job. Push/PR/manual runs pip-audit against a committed --generate-hashes requirements snapshot (.github/security-audit-requirements.txt) for deterministic CI, while the weekly scheduled run resolves the runtime + test dependency set live across the supported Python/OS matrix to surface newly published advisories. A sync gate (.github/scripts/check_security_requirements.py) fails PRs whose dependency inputs changed without refreshing the committed snapshot, so the committed file can't silently drift from pyproject.toml.
Assisted-by: Codex (model: GPT-5, autonomous)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of splitting #2442 into smaller, dedicated PRs. This is the original #2438 ask — the dependency-audit workflow — re-derived against current
main.What
.github/workflows/security.ymlwith dependency-audit coverage split by trigger:dependency-auditjob audits the committed.github/security-audit-requirements.txtsnapshot withpip-audit --require-hashes.dependency-audit-scheduledcompiles the runtime +testdependency set live per(os, python)matrix entry (ubuntu/windows× 3.11/3.12/3.13) and audits that, to catch newly published advisories the committed snapshot wouldn't..github/scripts/check_security_requirements.py: a sync gate that fails a PR which changedpyproject.toml(or the snapshot) without regenerating the committed requirements..github/security-audit-requirements.txt: the committed--universal --generate-hashessnapshot (generated against currentmain).tests/test_security_workflow.py: static guards for the jobs, matrix, pins, hashed snapshot, and the sync script. Triggers are asserted by inclusion so the follow-up baseline-gate PR can addlabeled/unlabeledwithout rewriting the test.CONTRIBUTING.md: a "Security checks" subsection documenting the local commands.Why
Gives CI a deterministic dependency-advisory signal on every PR plus a live scheduled sweep, without a lockfile or redundant PR matrix runs.
Validation
tests/test_security_workflow.py— 12 passed.uvx ruff check .github/scripts/check_security_requirements.py tests/test_security_workflow.pyis clean.pip-audit --require-hashesagainst the committed snapshot reports no known vulnerabilities.uv pip compile ... --no-headeris byte-identical to the committed snapshot (sync gate passes).actions/checkoutaligned to the repo-standard9c091bb... # v7.0.0).Bandit + secret-scan gates are deliberately not here — they come in a follow-up PR so each gate reviews on its own. Independent of the other split PRs.
Disclosure: Updated on behalf of @PascalThuet by Codex (model: GPT-5, autonomous).