Skip to content

feat: add Helm chart #448

feat: add Helm chart

feat: add Helm chart #448

# Audit Python dependencies for known vulnerabilities (pip-audit).
# Runs on push/PR to master and dev; fails if any CVEs are found.
name: Security audit
on:
push:
branches: [master, dev]
paths-ignore:
- '**.md'
- 'docs/**'
- 'iam-proxy-italia-project/static/**'
- 'Docker-compose/nginx/html/static/**'
pull_request:
branches: [master, dev]
paths-ignore:
- '**.md'
- 'docs/**'
- 'iam-proxy-italia-project/static/**'
- 'Docker-compose/nginx/html/static/**'
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
jobs:
pre_job:
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@v5.3.1
with:
skip_after_successful_duplicate: 'true'
concurrent_skipping: 'same_content_newer'
audit:
needs: pre_job
if: needs.pre_job.outputs.should_skip != 'true'
name: pip-audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Patch pyproject.toml if matching branch exists in eudi-wallet-it-python
env:
CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
TARGET_BRANCH: ${{ github.base_ref || 'master' }}
DEPTH_COMMITS: 50
run: bash .github/scripts/patch-pyeudiw-branch.sh
- name: Install dependencies with Poetry
run: |
pip install "poetry>=2.3.3"
poetry install --extras test
- name: Install pip-audit
run: poetry run pip install pip-audit
- name: Audit dependencies for vulnerabilities
run: |
# satosa is from git (peppelinux/SATOSA in pyproject.toml), not PyPI.
# pip-audit will report "Dependency not found on PyPI ... satosa" — that means
# "could not look up on PyPI", not "satosa is missing". Expected for git deps.
#
# --ignore-vuln CVE-2024-23342 (ecdsa): Minerva timing side-channel. python-ecdsa
# considers side-channel attacks out of scope; no upstream fix exists.
#
# --cache-dir: use fresh dir to avoid CacheControl "deserialization failed" warnings from pip's incompatible http cache
poetry run pip-audit --cache-dir /tmp/pip-audit-cache --desc \
--ignore-vuln CVE-2024-23342
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Note:** \`satosa\` is installed from git (peppelinux/SATOSA). The \"not found on PyPI\" line for it is expected; pip-audit cannot look up git-installed packages on PyPI." >> $GITHUB_STEP_SUMMARY
audit-djangosaml2-sp:
needs: pre_job
if: needs.pre_job.outputs.should_skip != 'true'
name: pip-audit (djangosaml2_sp)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install pip-audit
run: pip install pip-audit
- name: Audit djangosaml2_sp dependencies for vulnerabilities
run: |
# --cache-dir: use fresh dir to avoid CacheControl "deserialization failed" warnings
pip-audit --cache-dir /tmp/pip-audit-cache -r iam-proxy-italia-project-demo-examples/djangosaml2_sp/requirements.txt --desc