chore(deps-dev): update setuptools requirement from >=61.0 to >=82.0.1 #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| pull_request: | |
| branches: [dev, main] | |
| push: | |
| branches: [dev, main] | |
| schedule: | |
| # Run weekly on Mondays at 00:00 UTC | |
| - cron: '0 0 * * 1' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| codeql-analysis: | |
| name: CodeQL Security Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| queries: security-extended,security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:python" | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: TruffleHog secret scan | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --only-verified | |
| - name: Check for hardcoded credentials | |
| run: | | |
| echo "Checking for common credential patterns..." | |
| # Check for API keys | |
| if grep -rE "(api[_-]?key|apikey|api[_-]?secret)" --include="*.py" --include="*.yml" --include="*.yaml" app-store-optimization/ .github/ scripts/ 2>/dev/null | grep -v "# " | grep -v "PLACEHOLDER" | grep -v "YOUR_API_KEY"; then | |
| echo "⚠️ WARNING: Potential API key references found" | |
| echo "Please verify these are not hardcoded credentials" | |
| fi | |
| # Check for tokens | |
| if grep -rE "(token|bearer|oauth)" --include="*.py" --include="*.yml" app-store-optimization/ .github/ scripts/ 2>/dev/null | grep -v "# " | grep -v "PLACEHOLDER" | grep -v "YOUR_TOKEN" | grep -v "CLAUDE_CODE_OAUTH_TOKEN" | grep -v "CLAUDE_API_KEY"; then | |
| echo "⚠️ WARNING: Potential token references found" | |
| echo "Please verify these are references to environment variables, not hardcoded values" | |
| fi | |
| echo "✅ Secret scanning completed" | |
| dependency-security: | |
| name: Dependency Security Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Check for dependency files | |
| id: check-deps | |
| run: | | |
| if [ -f "requirements.txt" ] || [ -f "pyproject.toml" ]; then | |
| echo "has_deps=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_deps=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Install safety | |
| if: steps.check-deps.outputs.has_deps == 'true' | |
| run: pip install safety | |
| - name: Run safety check | |
| if: steps.check-deps.outputs.has_deps == 'true' | |
| run: | | |
| if [ -f "requirements.txt" ]; then | |
| safety check --file requirements.txt | |
| else | |
| echo "✅ No requirements.txt found, skipping safety check" | |
| fi | |
| - name: Validate no external dependencies | |
| run: | | |
| echo "Validating ASO skill uses only Python standard library..." | |
| # Check for import statements that might indicate external deps | |
| external_imports=$(grep -rh "^import\|^from" app-store-optimization/*.py | \ | |
| grep -v "^import \(typing\|re\|collections\|json\|urllib\|datetime\|random\|math\|statistics\|os\|sys\)" | \ | |
| grep -v "^from \(typing\|urllib\)" | \ | |
| grep -v "^from \." || true) | |
| if [ -n "$external_imports" ]; then | |
| echo "⚠️ WARNING: Potential external dependencies found:" | |
| echo "$external_imports" | |
| echo "" | |
| echo "ASO skill should use only Python standard library" | |
| echo "If these are standard library imports, please update this check" | |
| else | |
| echo "✅ No external dependencies detected" | |
| fi | |
| security-summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [codeql-analysis, secret-scanning, dependency-security] | |
| if: always() | |
| steps: | |
| - name: Check security status | |
| run: | | |
| codeql_status="${{ needs.codeql-analysis.result }}" | |
| secret_status="${{ needs.secret-scanning.result }}" | |
| deps_status="${{ needs.dependency-security.result }}" | |
| echo "Security Scan Results:" | |
| echo "- CodeQL Analysis: $codeql_status" | |
| echo "- Secret Scanning: $secret_status" | |
| echo "- Dependency Security: $deps_status" | |
| echo "" | |
| if [ "$codeql_status" == "success" ] && [ "$secret_status" == "success" ] && [ "$deps_status" == "success" ]; then | |
| echo "✅ All security checks passed" | |
| exit 0 | |
| else | |
| echo "❌ Security checks failed - please review above" | |
| exit 1 | |
| fi |