Fix ci #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Use the same Python that your project targets | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install Poetry | |
| run: | | |
| pipx install poetry | |
| poetry --version | |
| # Install project deps in Poetry venv (dev group included so scanners are available) | |
| - name: Install dependencies with Poetry | |
| run: | | |
| poetry install --with dev --no-interaction --no-ansi | |
| # --- Bandit: run in the project venv, tune failure level if desired --- | |
| - name: Bandit (security linter) | |
| run: | | |
| poetry run bandit -r min_ratio_cycle/ --severity-level medium --confidence-level high | |
| # OPTION A: Safety scans the *installed* packages inside your Poetry venv | |
| - name: Safety (scan installed env) | |
| run: | | |
| poetry run pip install --upgrade safety | |
| poetry run safety check --full-report | |
| - name: pip-audit (scan exported requirements, not global env) | |
| run: | | |
| pipx install pip-audit | |
| pip-audit -r requirements.txt --strict |