chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /docs #737
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run security checks on PR | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - development | |
| - hotfix | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| jobs: | |
| checks: | |
| if: github.event.pull_request.draft == false | |
| permissions: | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| name: Run security checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| - name: Setup Python version | |
| uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Lint with Ruff | |
| uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1.0.0 | |
| with: | |
| src: "." | |
| continue-on-error: false | |
| - name: Validate required fields in pyproject.toml | |
| run: | | |
| pip install tomlkit | |
| python -m scripts.validate_toml_files | |
| # - name: Install dependencies | |
| # run: | | |
| # python -m pip install --upgrade pip | |
| # pip install pip-audit uv | |
| # - name: Convert pyproject.toml to requirements.txt and Run pip-audit | |
| # run: | | |
| # # Find all pyproject.toml files | |
| # find . -name pyproject.toml -type f | while read -r toml_file; do | |
| # echo "Processing $toml_file" | |
| # dir=$(dirname "$toml_file") | |
| # # Convert pyproject.toml to requirements.txt using uv | |
| # cd "$dir" | |
| # uv pip compile pyproject.toml -o requirements.txt | |
| # # Run pip-audit on the requirements file, ignoring specific vulnerabilities | |
| # echo "Running pip-audit for $dir" | |
| # pip-audit -r requirements.txt \ | |
| # --ignore-vuln GHSA-3749-ghw9-m3mg \ | |
| # --ignore-vuln GHSA-887c-mr87-cxwp || exit 1 | |
| # cd - | |
| # done | |
| # - name: Run Deptry Check | |
| # run: | | |
| # pip install deptry | |
| # echo "📦 Checking dependencies..." | |
| # # Initialize a file to collect all dependency issues | |
| # DEPENDENCY_ISSUES=$(mktemp) | |
| # echo "" > "$DEPENDENCY_ISSUES" | |
| # find . -name pyproject.toml -type f | while read -r toml_file; do | |
| # dir=$(dirname "$toml_file") | |
| # echo "Analyzing $dir" | |
| # cd "$dir" | |
| # # Skip if no deptry configuration | |
| # if ! grep -q "\[tool.deptry\]" pyproject.toml 2>/dev/null; then | |
| # echo "⏩ Skipping (no deptry configuration)" | |
| # cd - | |
| # continue | |
| # fi | |
| # # Run deptry and capture output | |
| # if ! deptry . > deptry_output.txt 2>&1; then | |
| # echo "❌ Dependency issues found in $dir:" | |
| # echo "Dependency issues in $dir:" >> "$DEPENDENCY_ISSUES" | |
| # cat deptry_output.txt >> "$DEPENDENCY_ISSUES" | |
| # fi | |
| # cd - | |
| # done | |
| # # Check if there are any dependency issues | |
| # if [ -s "$DEPENDENCY_ISSUES" ]; then | |
| # echo "Dependency issues found. Please fix the following issues:" | |
| # cat "$DEPENDENCY_ISSUES" | |
| # exit 1 | |
| # else | |
| # echo "All dependency checks passed." | |
| # fi | |
| # - name: Run Trivy vulnerability scanner in repo mode | |
| # uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # v0.21.0 | |
| # with: | |
| # scan-type: 'fs' | |
| # ignore-unfixed: true | |
| # format: 'sarif' | |
| # output: 'trivy-results.sarif' | |
| # limit-severities-for-sarif: true | |
| # severity: 'HIGH,CRITICAL' | |
| # scanners: 'vuln,misconfig,secret' | |
| # skip-dirs: '.vscode,docs' | |
| # exit-code: '1' | |
| # - name: Upload Trivy scan results to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v.3.25.6 | |
| # if: always() | |
| # with: | |
| # sarif_file: 'trivy-results.sarif' |