keep/.github/workflows/security.yml at main · keepnotes-ai/keep · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Security Audit
on:
  push:
    branches: [main]
    paths:
      - 'pyproject.toml'
      - 'uv.lock'
  pull_request:
    paths:
      - 'pyproject.toml'
      - 'uv.lock'
  schedule:
    # Run weekly on Monday at 08:00 UTC
    - cron: '0 8 * * 1'

jobs:
  license-check:
    name: Check dependency licenses
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: astral-sh/setup-uv@v7
        with:
          version: "latest"
      - name: Set up Python
        run: uv python install 3.12
      - name: Build OpenClaw plugin bundle
        working-directory: keep/data/openclaw-plugin
        run: |
          npm ci
          node build.mjs
      - name: Install dependencies
        run: |
          uv sync --no-dev
          uv pip install pip-licenses
      - name: Check licenses
        run: |
          uv run pip-licenses --fail-on="GNU General Public License v2 (GPLv2);\
          GNU General Public License v3 (GPLv3);\
          GNU General Public License v2 or later (GPLv2+);\
          GNU General Public License v3 or later (GPLv3+);\
          GNU Affero General Public License v3 (AGPLv3);\
          GNU Affero General Public License v3 or later (AGPLv3+);\
          GNU Lesser General Public License v2 (LGPLv2);\
          GNU Lesser General Public License v2 or later (LGPLv2+);\
          GNU Lesser General Public License v3 (LGPLv3);\
          GNU Lesser General Public License v3 or later (LGPLv3+)" \
            --format=plain --order=license
      - name: Flag UNKNOWN licenses
        run: |
          UNKNOWN=$(uv run pip-licenses --format=csv | grep 'UNKNOWN' || true)
          if [ -n "$UNKNOWN" ]; then
            echo "::warning::Packages with UNKNOWN license metadata:"
            echo "$UNKNOWN"
          fi

  pip-audit:
    name: Audit Python dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: astral-sh/setup-uv@v7
        with:
          version: "latest"
      - name: Set up Python
        run: uv python install 3.12
      - name: Install pip-audit
        run: pip install pip-audit
      - name: Audit dependencies
        run: |
          uv export --frozen --no-hashes --no-emit-project > /tmp/requirements.txt
          pip-audit -r /tmp/requirements.txt --desc \
            --ignore-vuln CVE-2026-4539  # pygments ReDoS, no fix available, local-only attack