AAP-64830: fixes CVE-2026-1207, CVE-2026-1287, CVE-2026-1312. (#1834) #5076
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: wisdom-service - pip-audit | |
| on: | |
| push: | |
| # tags: | |
| # - v* | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/pip_audit.yml | |
| - ansible_ai_connect/** | |
| - pyproject.toml | |
| - uv.lock | |
| - requirements.txt | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/pip_audit.yml | |
| - ansible_ai_connect/** | |
| - pyproject.toml | |
| - uv.lock | |
| - requirements.txt | |
| permissions: | |
| contents: read | |
| jobs: | |
| selftest: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.12 | |
| - name: install | |
| run: | | |
| python -m venv env/ | |
| source env/bin/activate | |
| python -m pip install --upgrade pip | |
| python -m pip install -r requirements.txt | |
| python -m pip install -e . | |
| # See: https://github.com/advisories/GHSA-r9hx-vwmv-q579 | |
| pip install --upgrade setuptools | |
| - name: Create CA symlink to use RH's certifi on ubuntu-latest | |
| run: | | |
| sudo mkdir -p /etc/pki/tls/certs | |
| sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt | |
| - uses: pypa/gh-action-pip-audit@v1.0.8 | |
| with: | |
| virtual-environment: env/ | |
| ignore-vulns: | | |
| # to remove the two following entries once we move to ansible-core >= 2.15.13 | |
| # See: https://github.com/advisories/GHSA-32p4-gm2c-wmch | |
| GHSA-32p4-gm2c-wmch | |
| GHSA-jpxc-vmjf-9fcj | |
| GHSA-99w6-3xph-cx78 | |
| # To remove once we can install cryptography 44.0.1 | |
| # See: https://github.com/ansible/ansible-ai-connect-service/pull/1530 | |
| GHSA-79v4-65xg-pq4g | |
| # See don't use any .netrc | |
| GHSA-9hjg-9r4m-mvj7 | |
| # We don't use urllib3 from Node.js | |
| GHSA-pq67-6m6q-mj2v | |
| # We don't use urllib3 from Node.js | |
| GHSA-48p4-8xcf-vxj5 | |
| # pip 25.3 is not released yet | |
| # See: https://github.com/advisories/GHSA-4xh5-x5gv-qwph | |
| GHSA-4xh5-x5gv-qwph | |
| # To remove once we upgrade to Django 5+ (requires major version upgrade) | |
| # social-auth-app-django vulnerability requires Django>=5.1 | |
| GHSA-wv4w-6qv2-qqfg | |
| # To remove once protobuf releases a patched version for CVE-2026-0994 | |
| # DoS vulnerability in protobuf json_format.ParseDict() - no fix available yet | |
| # See: https://github.com/advisories/GHSA-7gcm-g887-7qv7 | |
| GHSA-7gcm-g887-7qv7 |