tessap/.github/workflows/pip-audit.yml at da3ecc5d2f7c1527e48419275735e146cd14b0f0 · inab/tessap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: pip-audit

on:
  workflow_dispatch:
  schedule:
    - cron: "0 12 * * 1"

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [ "3.10", "3.11", "3.12", "3.13" ]
    name: pip-audit python ${{ matrix.python-version }}
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-python@v6
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'pip'
          cache-dependency-path: |
            requirements.txt
          architecture: x64
      - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})'
        run: |
          python -mvenv /tmp/PIPAUDIT
          source /tmp/PIPAUDIT/bin/activate
          pip install --upgrade pip wheel
          pip install pip-audit
#      - name: 'Freeze Python ${{ matrix.python-version }} constraints'
#        run: |
#          pip freeze > constraints-${{ matrix.python-version }}.txt
      - id: gen-cve-output
        run: |
          source /tmp/PIPAUDIT/bin/activate
          set +e
          pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md
          refreeze=$?
          set -e

          if [ "$refreeze" != 0 ] ; then
            deactivate
            python -mvenv /tmp/PIPFREEZE
            source /tmp/PIPFREEZE/bin/activate
            pip install --upgrade pip wheel
            pip install -r requirements.txt
            pip freeze > constraints-${{ matrix.python-version }}.txt

            # Re-audit the populated environment
            deactivate
            source /tmp/PIPAUDIT/bin/activate
            set +e
            pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md
            auditres=$?
            set -e

            if [ "$auditres" = 0 ] ; then
              echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md
              cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md
            else
              # Time to emit the report
              echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md
              cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md
            fi
            cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY"
          fi
      - uses: actions/upload-artifact@v5
        with:
          name: audit-${{ matrix.python-version }}
          retention-days: 2
          path: |
            constraints-${{ matrix.python-version }}.txt
            audit-report-${{ matrix.python-version }}.md

  pull_request_changes:
    # Do this only when it is not a pull request validation
    if: github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    name: Pull request with the newly generated contents
    needs:
      - pip-audit
    steps:
      - name: Get analysis timestamp
        id: timestamp
        run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT"
      - uses: actions/checkout@v5
      - uses: actions/download-artifact@v6
        id: download
        with:
          pattern: audit-*
          merge-multiple: true
          path: changes-dir
      - name: Move artifacts to their right place
        id: move
        run: |
          skip=true
          if [ -d "${{steps.download.outputs.download-path}}" ] ; then
            for con in "${{steps.download.outputs.download-path}}"/constraints-*.txt ; do
              case "$con" in
                */constraints-\*.txt)
                  break
                  ;;
                *)
                  cp -p "$con" .
                  skip=false
                  ;;
              esac
            done
            for aud in "${{steps.download.outputs.download-path}}"/audit-report-*.md ; do
              case "$aud" in
                */audit-report-\*.md)
                  touch pull-body.md
                  break
                  ;;
                *)
                  cat "$aud" >> pull-body.md
                  ;;
              esac
            done
          fi
          ls -l
          echo "skip=$skip" >> "$GITHUB_OUTPUT"
      - name: Create Pull Request
        id: cpr
        uses: peter-evans/create-pull-request@v7
        if: steps.move.outputs.skip == 'false'
        with:
          title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }})
          branch: create-pull-request/patch-audit-constraints
          add-paths: constraints-*.txt
          delete-branch: true
          commit-message: "[create-pull-request] Automatically updated constraints due security reasons"
          body-path: pull-body.md
      - name: Check outputs
        if: ${{ steps.cpr.outputs.pull-request-number }}
        run: |
          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" >> "$GITHUB_STEP_SUMMARY"
          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> "$GITHUB_STEP_SUMMARY"