holiday-peak-hub/.github/workflows/dependency-audit.yml at a32be065dd46467714dd5a3702485a40ecd37a0a · Azure-Samples/holiday-peak-hub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: dependency-audit

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
    paths:
      - lib/**
      - apps/**
      - pyproject.toml
      - .github/workflows/dependency-audit.yml

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.13'
      - name: Set up uv
        uses: astral-sh/setup-uv@v5
      - name: Install audit toolchain
        run: |
          uv pip install --system pip-audit "black[jupyter]>=26.3.1"
      - name: Install lib
        run: uv pip install --system -e ./lib/src
      - name: Install apps
        run: |
          set -e
          for d in apps/*/src; do
            if [ -f "$d/pyproject.toml" ]; then
              uv pip install --system --prerelease=allow -e "$d"
            else
              echo "Skipping $d (no pyproject.toml)"
            fi
          done
      - name: Run pip-audit (Wave0)
        run: |
          python -m pip_audit --skip-editable --ignore-vuln CVE-2024-23342 || true
      - name: Export pip-audit report
        if: always()
        run: |
          python -m pip_audit --skip-editable --format=json --ignore-vuln CVE-2024-23342 > pip-audit-report.json || true
      - name: Upload pip-audit report artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: pip-audit-report
          path: pip-audit-report.json

  yarn-audit:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: apps/ui
    steps:
      - uses: actions/checkout@v4
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
      - name: Install frontend dependencies
        run: yarn install --frozen-lockfile
      - name: Run yarn audit (critical gate)
        run: |
          yarn audit --json > yarn-audit.json || true
          node -e "const fs=require('fs'); const lines=fs.readFileSync('yarn-audit.json','utf8').split(/\r?\n/).filter(Boolean); let critical=0; for (const line of lines){ try{const obj=JSON.parse(line); if(obj.type==='auditAdvisory'){const sev=(obj.data.advisory.severity||'').toLowerCase(); if(sev==='critical') critical++; }}catch(_){} } console.log('Yarn advisories => critical='+critical); process.exit(critical>0?1:0);"