From 20143b3ebe329777cc3b0e86825433f8f97fb6ad Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sun, 10 May 2026 16:04:29 -0500 Subject: [PATCH 1/2] ci: run pip-audit via tox matrix and attestation workflows Add audit to tox env_list and matrix (named tox () checks). Drop standalone audit job to avoid duplicate scans. Spec conformance and release preflight include audit gate. Co-authored-by: Cursor --- .github/workflows/ci.yml | 20 ++++--------------- .github/workflows/conformance-attestation.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/spec-conformance.yml | 4 ++-- tox.ini | 1 + 5 files changed, 10 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 468ffda..b860170 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,23 +122,8 @@ jobs: INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec run: pytest tests/unit/test_spec_golden_conformance.py -v - audit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was `@v6` - - - uses: ./.github/actions/setup-python-pip - with: - python-version: "3.x" - check-latest: true - - - name: Install project (dev extras) - run: pip install -e ".[dev]" - - - name: pip-audit - run: pip-audit - tox: + name: tox (${{ matrix.tox-env }}) runs-on: ubuntu-latest strategy: fail-fast: false @@ -147,6 +132,9 @@ jobs: - tox-env: static python-version: "3.x" check-latest: true + - tox-env: audit + python-version: "3.x" + check-latest: true - tox-env: cov python-version: "3.x" check-latest: true diff --git a/.github/workflows/conformance-attestation.yml b/.github/workflows/conformance-attestation.yml index 75ec94e..d75e269 100644 --- a/.github/workflows/conformance-attestation.yml +++ b/.github/workflows/conformance-attestation.yml @@ -76,10 +76,10 @@ jobs: exit 1 fi - - name: SDK quality gates (tox static + cov) + - name: SDK quality gates (tox static + audit + cov) env: INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec - run: tox run -e static,cov + run: tox run -e static,audit,cov - name: Set up Node.js for spec oracle uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was `@v6` diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3b7aa6d..0e3b9c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: with: script: | const requiredExact = ["no-handwritten-model-types", "hardening", "intentproof-spec", "spec-golden-parity"]; - const requiredPrefixes = ["tox (static", "tox (cov"]; + const requiredPrefixes = ["tox (static", "tox (audit", "tox (cov"]; const { owner, repo } = context.repo; const ref = context.sha; const runs = await github.paginate(github.rest.checks.listForRef, { diff --git a/.github/workflows/spec-conformance.yml b/.github/workflows/spec-conformance.yml index 0975de0..f44e402 100644 --- a/.github/workflows/spec-conformance.yml +++ b/.github/workflows/spec-conformance.yml @@ -56,10 +56,10 @@ jobs: - name: Install tox run: pip install "tox>=4" - - name: SDK quality gates (tox static + cov) + - name: SDK quality gates (tox static + audit + cov) env: INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec - run: tox run -e static,cov + run: tox run -e static,audit,cov - name: Set up Node.js for spec oracle uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was `@v6` diff --git a/tox.ini b/tox.ini index 92990d2..132c5fc 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,7 @@ [tox] env_list = static + audit cov py311 py312 From f7fdc7950df09c671040bf1b97f037b8dc409b36 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sun, 10 May 2026 16:07:37 -0500 Subject: [PATCH 2/2] ci(spec-conformance): drop duplicate tox audit (covered by CI matrix) Co-authored-by: Cursor --- .github/workflows/spec-conformance.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/spec-conformance.yml b/.github/workflows/spec-conformance.yml index f44e402..0975de0 100644 --- a/.github/workflows/spec-conformance.yml +++ b/.github/workflows/spec-conformance.yml @@ -56,10 +56,10 @@ jobs: - name: Install tox run: pip install "tox>=4" - - name: SDK quality gates (tox static + audit + cov) + - name: SDK quality gates (tox static + cov) env: INTENTPROOF_SPEC_ROOT: ${{ github.workspace }}/intentproof-spec - run: tox run -e static,audit,cov + run: tox run -e static,cov - name: Set up Node.js for spec oracle uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was `@v6`