.github/workflows/sdl.yml

name: OpenVINO tokenizers sdl tests
on:
  workflow_dispatch:
  pull_request:
  merge_group:
  push:
    branches:
      - master
      - 'releases/**'

permissions: read-all

concurrency:
  # github.ref is not unique in post-commit
  group: ${{ github.event_name == 'push' && github.run_id || github.ref }}-linux-sdl
  cancel-in-progress: true

env:
  PYTHON_VERSION: '3.11'

jobs:
  sdl_tests:
    name: SDL tests
    timeout-minutes: 10
    defaults:
      run:
        shell: bash
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Clone Openvino tokenizers sources and tests
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'

      - name: Install Python tests dependencies
        run: |
          python3 -m pip install bandit

      - name: Tokenizers Bandit tests
        run: |
          bandit -c pyproject.toml -r python

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        with:
          scan-type: 'fs'
          scan-ref: '.'

      - name: Dependency Review
        if: ${{ github.event_name == 'pull_request' }}
        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
        with:
          config-file: './.github/dependency_review.yml'