ci: run pip-audit via tox (supply chain)#40
Conversation
Add audit to tox env_list and matrix (named tox (<env>) checks). Drop standalone audit job to avoid duplicate scans. Spec conformance and release preflight include audit gate. Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughWalkthroughThe PR consolidates CI audit functionality from a standalone job into a tox-driven matrix system. The audit environment is registered in ChangesTox-Based CI Audit Consolidation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/spec-conformance.yml:
- Around line 59-63: The SDK quality gates job currently runs "tox run -e
static,audit,cov" (named "SDK quality gates (tox static + audit + cov)"), which
duplicates the centralized CI "tox (audit)" run; remove "audit" from the
environment list and command so this job runs only "static" and "cov" (e.g.,
change to "tox run -e static,cov") and update the job name to reflect that
change to avoid duplicate pip-audit execution across PR workflows.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: c23f7b7e-6610-4f40-963c-7460a3254002
📒 Files selected for processing (5)
.github/workflows/ci.yml.github/workflows/conformance-attestation.yml.github/workflows/release.yml.github/workflows/spec-conformance.ymltox.ini
Co-authored-by: Cursor <cursoragent@cursor.com>
Consolidates supply-chain checks into tox:
[testenv:audit]withpip-audit).tox (${{ matrix.tox-env }})so release preflight can requiretox (audit).pip-auditon every PR).tox run -e static,audit,cov.tox (audit)alongside static/cov.Made with Cursor
Summary by CodeRabbit