feat: add git-audit Action to the build workflow

jenstroeger · Sep 5, 2022 · aae32ed · aae32ed
1 parent 19cbd9e
commit aae32ed
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -85,6 +85,12 @@ jobs:
         echo "Digest of artifacts is $DIGEST."
         # Set the computed sha digest as the output of this job.
         echo "::set-output name=artifacts-sha256::$DIGEST"
+    # Audit the required packages for security vulnerabilities.
+    - name: Audit required packages
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      uses: pypa/[email protected]
+      with:
+        inputs: requirements.txt
     # For now only generate artifacts for the specified OS and Python version in env variables.
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
     - name: Upload the package artifact for debugging and release

diff --git a/Makefile b/Makefile
@@ -120,17 +120,15 @@ requirements.txt: pyproject.toml
 	  echo "Fetching package metadata for requirement '$$pkg'"; \
 	  [[ $$pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/$${BASH_REMATCH[1]}/$${BASH_REMATCH[2]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n    --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['urls']));" >> requirements.txt; \
 	done
-	if [ ! -x pip_audit ]; then python -m pip install "pip-audit ==2.4.4"; fi
-	python -m pip_audit --requirement requirements.txt --skip-editable --desc on --require-hashes --fix --dry-run
-	echo -e -n "package==$(PACKAGE_VERSION)" >> requirements.txt
+	cp requirements.txt dist/package-$(PACKAGE_VERSION)-requirements.txt
+	echo -e -n "package==$(PACKAGE_VERSION)" >> dist/package-$(PACKAGE_VERSION)-requirements.txt
 	if [ -f dist/package-$(PACKAGE_VERSION).tar.gz ]; then \
-	  echo -e -n " \\\\\n    `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash'`" >> requirements.txt; \
+	  echo -e -n " \\\\\n    `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash'`" >> dist/package-$(PACKAGE_VERSION)-requirements.txt; \
 	fi
 	if [ -f dist/package-$(PACKAGE_VERSION)-py3-none-any.whl ]; then \
-	  echo -e -n " \\\\\n    `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash'`" >> requirements.txt; \
+	  echo -e -n " \\\\\n    `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash'`" >> dist/package-$(PACKAGE_VERSION)-requirements.txt; \
 	fi
-	echo "" >> requirements.txt
-	cp requirements.txt dist/package-$(PACKAGE_VERSION)-requirements.txt
+	echo "" >> dist/package-$(PACKAGE_VERSION)-requirements.txt
 
 # Run some or all checks over the package code base.
 .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy

diff --git a/pyproject.toml b/pyproject.toml
@@ -44,7 +44,6 @@ actions = [
 dev = [
     "flit >=3.2.0,<4.0.0",
     "mypy >=0.921,<=0.971",
-    "pip-audit >=2.4.4,<3.0.0",
     "pylint >=2.9.3,<=2.14.5",
     "cyclonedx-bom >=3.5.0,<4.0.0",
 ]