**ACTION_REQUESTED:** Generate Code #66
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Dependency Audit | |
| # Trigger on pushes and pull requests to the main branch | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| # Optional: Allow manual trigger from Actions tab | |
| workflow_dispatch: | |
| jobs: | |
| pip-audit: | |
| runs-on: ubuntu-latest | |
| # REMOVED strategy matrix | |
| name: Audit Project Dependencies # Changed name | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| id: setup-python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: '1.8.3' # Specify an exact, known stable version | |
| virtualenvs-create: true | |
| virtualenvs-in-project: false # Keep false for CI caching | |
| installer-parallel: true | |
| - name: Display Poetry version | |
| run: poetry --version | |
| - name: Install pip-audit tool | |
| run: pipx install pip-audit | |
| - name: Load cached Poetry cache # Cache Poetry's package cache | |
| id: cached-poetry-dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pypoetry # Standard cache location on Linux runners | |
| key: poetry-cache-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('poetry.lock') }} | |
| restore-keys: | | |
| poetry-cache-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}- | |
| - name: Check lock file consistency # Run in root | |
| run: poetry lock --check # Use --check to verify lock file is up-to-date | |
| # No working-directory needed, runs in root | |
| - name: Synchronize dependencies # Run in root | |
| run: | | |
| echo "Attempting to sync environment with root lock file using 'poetry install --sync'..." | |
| # Install dev dependencies too, as they might have vulnerabilities | |
| poetry install --sync --with dev --no-interaction | |
| # No working-directory needed, runs in root | |
| # --- MODIFIED: Remove --requirement poetry.lock --- | |
| - name: Run pip-audit # Run in root | |
| run: | | |
| echo "Running pip-audit using 'poetry run'..." | |
| # Run pip-audit within the environment managed by Poetry. | |
| # It will audit the packages installed by 'poetry install'. | |
| poetry run pip-audit --progress-spinner=off --strict | |
| # REMOVED: --requirement poetry.lock | |
| # No working-directory needed, runs in root | |
| # --- END MODIFIED --- |