diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4599eee5..4176f9eb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -74,7 +74,19 @@ jobs: # Audit all currently installed packages for security vulnerabilities. - name: Audit installed packages - run: make audit + id: audit-packages + continue-on-error: true + run: make --silent audit > pip-audit-vulnerabilities.txt + + # Upload the vulnerabilities file output. + - name: Upload Artifact + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb #v3.1.1 + with: + name: pip-audit-vulnerabilities.txt + path: . + if-no-files-found: error + retention-days: 1 + if: steps.audit-packages.outputs.exit_code == 1 # Build the sdist and wheel distribution of the package and docs as a zip file. # We don't need to check and test the package separately because `make dist` runs diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml index c4814f97..14c13a82 100644 --- a/.github/workflows/pr-change-set.yaml +++ b/.github/workflows/pr-change-set.yaml @@ -18,3 +18,23 @@ jobs: uses: ./.github/workflows/build.yaml permissions: contents: read + + comment-audit: + runs-on: ubuntu-latest + permissions: + pull-requests: write + needs: build + steps: + + - name: Download artifact from Build + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3 + if: steps.audit-packages.outputs.exit_code == 1 + with: + name: pip-audit-vulnerabilities.txt + + - name: Comment on PR + id: comment-pr + run: gh pr comment ${{ github.event.number }} --body-file pip-audit-vulnerabilities.txt + if: steps.audit-packages.outputs.exit_code == 1 + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index fe324aff..bff0fa50 100644 --- a/.gitignore +++ b/.gitignore @@ -132,3 +132,7 @@ dmypy.json # Pyre type checker .pyre/ + +# pip audit vulnerabilities file + +pip-audit-vulnerabilities.txt