Skip to content

ci: run pip-audit via tox (supply chain)#40

Merged
negillett merged 2 commits into
IntentProof:mainfrom
negillett:ci/supply-chain-pip-audit
May 10, 2026
Merged

ci: run pip-audit via tox (supply chain)#40
negillett merged 2 commits into
IntentProof:mainfrom
negillett:ci/supply-chain-pip-audit

Conversation

@negillett

@negillett negillett commented May 10, 2026

Copy link
Copy Markdown
Member

Consolidates supply-chain checks into tox:

  • env_list includes audit (uses existing [testenv:audit] with pip-audit).
  • CI matrix adds audit and names the job tox (${{ matrix.tox-env }}) so release preflight can require tox (audit).
  • Removes the separate audit job (avoids double pip-audit on every PR).
  • Spec conformance and conformance attestation run tox run -e static,audit,cov.
  • Release preflight: require tox (audit) alongside static/cov.

Made with Cursor

Summary by CodeRabbit

  • Chores
    • Consolidated continuous integration workflows to use a unified tox-driven job structure
    • Integrated additional security and code quality audit checks into the automated validation pipeline

Review Change Stack

Add audit to tox env_list and matrix (named tox (<env>) checks). Drop
standalone audit job to avoid duplicate scans. Spec conformance and
release preflight include audit gate.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented May 10, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The PR consolidates CI audit functionality from a standalone job into a tox-driven matrix system. The audit environment is registered in tox.ini, integrated into the main CI job matrix in ci.yml, and added to the audit invocation list across conformance-attestation.yml and spec-conformance.yml workflows. A minor variable reordering in release.yml has no functional impact.

Changes

Tox-Based CI Audit Consolidation

Layer / File(s) Summary
Tox environment setup
tox.ini
audit environment is registered in env_list to enable tox invocation of the existing [testenv:audit] CVE scan.
CI job matrix consolidation
.github/workflows/ci.yml
Standalone audit job is removed and replaced with a unified tox job parameterized by matrix.tox-env; audit is added as a matrix entry with python-version: "3.x" and check-latest: true.
Workflow audit integration
.github/workflows/conformance-attestation.yml, .github/workflows/spec-conformance.yml
Tox invocations are expanded to include audit alongside static and cov environments; conformance-attestation also sets INTENTPROOF_SPEC_ROOT.
Release workflow maintenance
.github/workflows/release.yml
requiredPrefixes variable is repositioned in the GitHub Script step with no functional change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Our audit now hops through the tox garden,
No more standing alone, it's pardoned—
With static and cov in harmonious stride,
The CI pipeline flows far and wide!
pip-audit bounces with glee

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main objective: consolidating pip-audit execution into tox instead of running it as a standalone job.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/spec-conformance.yml:
- Around line 59-63: The SDK quality gates job currently runs "tox run -e
static,audit,cov" (named "SDK quality gates (tox static + audit + cov)"), which
duplicates the centralized CI "tox (audit)" run; remove "audit" from the
environment list and command so this job runs only "static" and "cov" (e.g.,
change to "tox run -e static,cov") and update the job name to reflect that
change to avoid duplicate pip-audit execution across PR workflows.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c23f7b7e-6610-4f40-963c-7460a3254002

📥 Commits

Reviewing files that changed from the base of the PR and between 0b405a3 and 20143b3.

📒 Files selected for processing (5)
  • .github/workflows/ci.yml
  • .github/workflows/conformance-attestation.yml
  • .github/workflows/release.yml
  • .github/workflows/spec-conformance.yml
  • tox.ini

Comment thread .github/workflows/spec-conformance.yml Outdated
Co-authored-by: Cursor <cursoragent@cursor.com>
@negillett negillett merged commit ea6b315 into IntentProof:main May 10, 2026
13 checks passed
@negillett negillett deleted the ci/supply-chain-pip-audit branch May 10, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant