1313 steps :
1414 - uses : actions/checkout@v4
1515
16- # Use the same Python that your project targets
16+ # Match your project target
1717 - name : Set up Python
1818 uses : actions/setup-python@v5
1919 with :
@@ -24,23 +24,38 @@ jobs:
2424 pipx install poetry
2525 poetry --version
2626
27- # Install project deps in Poetry venv (dev group included so scanners are available)
27+ # (Optional) cache to speed up installs
28+ - name : Cache Poetry
29+ uses : actions/cache@v4
30+ with :
31+ path : |
32+ ~/.cache/pypoetry
33+ ~/.local/share/pypoetry
34+ key : ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
35+ restore-keys : ${{ runner.os }}-poetry-
36+
37+ # Install your project + dev tools in the Poetry venv
2838 - name : Install dependencies with Poetry
2939 run : |
3040 poetry install --with dev --no-interaction --no-ansi
3141
32- # --- Bandit: run in the project venv, tune failure level if desired ---
42+ # Keep the venv's tooling up to date (reduces false positives)
43+ - name : Update security tooling in venv
44+ run : |
45+ poetry run python -m pip install --upgrade pip setuptools wheel
46+ poetry run python -m pip install --upgrade safety pip-audit
47+
48+ # Bandit scans your source tree
3349 - name : Bandit (security linter)
3450 run : |
3551 poetry run bandit -r min_ratio_cycle/ --severity-level medium --confidence-level high
3652
37- # OPTION A: Safety scans the * installed* packages inside your Poetry venv
53+ # Safety scans the installed packages in the Poetry venv
3854 - name : Safety (scan installed env)
3955 run : |
40- poetry run pip install --upgrade safety
4156 poetry run safety check --full-report
4257
43- name : pip-audit (scan exported requirements, not global env)
58+ # pip-audit scans the installed packages in the Poetry venv
59+ - name : pip-audit (strict)
4460 run : |
45- pipx install pip-audit
46- pip-audit -r requirements.txt --strict
61+ poetry run pip-audit --strict
0 commit comments