Skip to content

chore(deps): bump github/codeql-action from 3.25.6 to 3.27.6 in /.github/workflows #369

chore(deps): bump github/codeql-action from 3.25.6 to 3.27.6 in /.github/workflows

chore(deps): bump github/codeql-action from 3.25.6 to 3.27.6 in /.github/workflows #369

Workflow file for this run

name: Run security checks on PR
permissions:
contents: read # for actions/checkout to fetch code
on:
pull_request:
branches:
- main
- development
- hotfix
types:
- opened
- synchronize
- reopened
- ready_for_review
jobs:
checks:
if: github.event.pull_request.draft == false
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Run security checks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Setup Python version
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: '3.11'
- name: Lint with Ruff
uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1.0.0
with:
src: "./src"
continue-on-error: false
- name: pip audit install setup 1
run: |
python -m venv env1/
source env1/bin/activate
- name: pip audit src requirements
uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8
with:
# must be populated earlier in the CI
virtual-environment: env1/
local: true
no-deps: true
inputs: |
./src/requirements.txt
- name: pip audit install setup 2
run: |
python -m venv env2/
source env2/bin/activate
- name: pip audit operator audiovec requirements
uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8
with:
# must be populated earlier in the CI
virtual-environment: env2/
local: true
no-deps: true
inputs: |
./src/core/operators/audio_vec_embedding_requirements.txt
- name: pip audit install setup 3
run: |
python -m venv env3/
source env3/bin/activate
- name: pip audit operator vidvec requirements
uses: pypa/gh-action-pip-audit@d499194be74aeb3bc7dbed3a224a87e1831132c7 # v1.0.8
with:
# must be populated earlier in the CI
virtual-environment: env3/
local: true
no-deps: true
inputs: |
./src/core/operators/vid_vec_rep_resnet_requirements.txt
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # v0.21.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
limit-severities-for-sarif: true
severity: 'HIGH,CRITICAL'
scanners: 'vuln,misconfig,secret'
skip-dirs: '.vscode,docs'
exit-code: '1'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v.3.27.6
if: always()
with:
sarif_file: 'trivy-results.sarif'