From aae32eddb2f4d38ba79c4f1fcccf4dbd154fbc0a Mon Sep 17 00:00:00 2001 From: Jens Troeger Date: Mon, 5 Sep 2022 12:01:56 +1000 Subject: [PATCH] feat: add git-audit Action to the build workflow --- .github/workflows/build.yaml | 6 ++++++ Makefile | 12 +++++------- pyproject.toml | 1 - 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 34f9ef8e..b7c0b3c6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -85,6 +85,12 @@ jobs: echo "Digest of artifacts is $DIGEST." # Set the computed sha digest as the output of this job. echo "::set-output name=artifacts-sha256::$DIGEST" + # Audit the required packages for security vulnerabilities. + - name: Audit required packages + if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON + uses: pypa/gh-action-pip-audit@v1.0.0 + with: + inputs: requirements.txt # For now only generate artifacts for the specified OS and Python version in env variables. # Currently reusable workflows do not support setting strategy property from the caller workflow. - name: Upload the package artifact for debugging and release diff --git a/Makefile b/Makefile index 622c475e..5bc8fbbc 100644 --- a/Makefile +++ b/Makefile @@ -120,17 +120,15 @@ requirements.txt: pyproject.toml echo "Fetching package metadata for requirement '$$pkg'"; \ [[ $$pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/$${BASH_REMATCH[1]}/$${BASH_REMATCH[2]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['urls']));" >> requirements.txt; \ done - if [ ! -x pip_audit ]; then python -m pip install "pip-audit ==2.4.4"; fi - python -m pip_audit --requirement requirements.txt --skip-editable --desc on --require-hashes --fix --dry-run - echo -e -n "package==$(PACKAGE_VERSION)" >> requirements.txt + cp requirements.txt dist/package-$(PACKAGE_VERSION)-requirements.txt + echo -e -n "package==$(PACKAGE_VERSION)" >> dist/package-$(PACKAGE_VERSION)-requirements.txt if [ -f dist/package-$(PACKAGE_VERSION).tar.gz ]; then \ - echo -e -n " \\\\\n `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash'`" >> requirements.txt; \ + echo -e -n " \\\\\n `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash'`" >> dist/package-$(PACKAGE_VERSION)-requirements.txt; \ fi if [ -f dist/package-$(PACKAGE_VERSION)-py3-none-any.whl ]; then \ - echo -e -n " \\\\\n `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash'`" >> requirements.txt; \ + echo -e -n " \\\\\n `python -m pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash'`" >> dist/package-$(PACKAGE_VERSION)-requirements.txt; \ fi - echo "" >> requirements.txt - cp requirements.txt dist/package-$(PACKAGE_VERSION)-requirements.txt + echo "" >> dist/package-$(PACKAGE_VERSION)-requirements.txt # Run some or all checks over the package code base. .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy diff --git a/pyproject.toml b/pyproject.toml index afd2040b..decceb15 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,7 +44,6 @@ actions = [ dev = [ "flit >=3.2.0,<4.0.0", "mypy >=0.921,<=0.971", - "pip-audit >=2.4.4,<3.0.0", "pylint >=2.9.3,<=2.14.5", "cyclonedx-bom >=3.5.0,<4.0.0", ]