Make pip-audit in CI optional via configuration

copier.yml

@@ -136,6 +136,16 @@ format_tool:
   default: black
   choices: [black, ruff]
 
+audit_in_ci:
+  type: bool
+  help: >-
+    Run pip-audit in weekly CI? It audits the locked dependencies, which
+    only affect this repo's developers and CI -- downstream consumers
+    resolve their own deps, so the audit is mostly relevant for developer
+    safety. GitHub Dependabot alerts and `just deps-audit` are always
+    available.
+  default: false
+
 in_pypi:
   type: bool
   help: Did you upload the package to PyPI?

project_name/.github/workflows/weekly-ci.yml.jinja

@@ -89,12 +89,11 @@ jobs:
               });
               await core.notice(`Created issue ${issue.data.html_url}`);
             }
+{%- if audit_in_ci %}
 
   pip-audit:
     runs-on: ubuntu-latest
     timeout-minutes: 10
-    permissions:
-      issues: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -115,51 +114,4 @@ jobs:
         with:
           inputs: requirements.txt
           require-hashes: true
-      - name: Create failure issue
-        if: failure()
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            // Check for existing audit failure issues
-            const existingIssues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'scheduled-ci-audit',
-              per_page: 10
-            });
-
-            if (existingIssues.data.length > 0) {
-              // Update existing issue instead of creating new one
-              const existingIssue = existingIssues.data[0];
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: existingIssue.number,
-                body: `Another audit failure occurred on ${context.sha.substring(0, 7)}, see the [workflow run](${context.payload.repository.html_url}/actions/runs/${context.runId})`
-              });
-              await core.notice(`Updated existing issue ${existingIssue.html_url}`);
-
-            } else {
-              // Create new issue
-              const issue = await github.rest.issues.create({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                title: `Scheduled CI Audit Failed - ${new Date().toISOString().split('T')[0]}`,
-                body: `The scheduled CI audit check failed on ${context.sha.substring(0, 7)}.
-
-            **Failed Jobs:**
-            - Check the [workflow run](${context.payload.repository.html_url}/actions/runs/${context.runId})
-
-            **Likely Causes:**
-            - New security vulnerabilities detected by pip-audit
-
-            **Next Steps:**
-            - Review the logs above
-            - Update locked dependencies
-            - Re-run the workflow to verify fixes`,
-                labels: ['scheduled-ci-audit'],
-                assignees: [context.repo.owner],
-              });
-              await core.notice(`Created issue ${issue.data.html_url}`);
-            }
+{%- endif %}