Skip to content

Read signing golden fixtures from spec checkout #30

Read signing golden fixtures from spec checkout

Read signing golden fixtures from spec checkout #30

Workflow file for this run

name: deps-scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 7 * * 1"
permissions:
contents: read
jobs:
allowlist-expiry:
name: "IntentProof Security: Deps Allowlist"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Validate dependency allowlist expiry dates
run: bash ./scripts/check-deps-allowlist.sh
pip-audit:
name: "IntentProof Security: pip-audit"
needs: allowlist-expiry
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Install package and pip-audit
run: pip install -e ".[dev]" pip-audit
- name: Run pip-audit
run: pip-audit --desc on
osv-scanner:
name: "IntentProof Security: OSV-Scanner"
needs: allowlist-expiry
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
with:
python-version: "3.11"
- name: Materialize Python lockfile for OSV
run: |
pip install -e ".[dev]"
pip freeze --exclude-editable > requirements-osv.txt
- name: Run OSV-Scanner gate
run: bash ./scripts/run-osv-scanner-gate.sh . .osv-scanner.toml requirements-osv.txt