ci: security-deps workflow — pip-audit CVE gate on PRs#114
Merged
Conversation
Runs pip-audit against requirements.txt and flatpak/requirements-pinned.txt on every PR that touches those files, plus weekly cron as safety net. - Fails the build if any known CVE is found (blocks merge via pip-audit --strict) - Posts an informational summary comment on the PR (updates existing comment rather than piling up new ones on every push) - Includes an outdated-packages report against PyPI (non-blocking) - Uses gh CLI for PR comment (no third-party action dependency in a security workflow) Manual dispatch supported via `gh workflow run security-deps.yml`.
Documents the automated pip-audit gate that now runs on every PR, so contributors know why an outdated pin can block their merge and how to trigger the workflow manually.
Round 11 review caught that fork PRs have GITHUB_TOKEN read-only regardless of declared permissions, so `gh api PATCH` / `gh pr comment` returns 403 -> comment step fails -> strict gate is skipped by default `if: success()`. The workflow marks itself as failed, but the CVE gate never runs, giving a false signal to reviewers. Adds `continue-on-error: true` to the comment step so the strict gate runs regardless. Comment failure is acceptable on fork PRs — users see the CI check status instead. Also pins pip-audit to 2.10.1 so an upstream regression cannot silently break the security gate, and adds a regression test that verifies continue-on-error is present on the comment step.
Contributor
Python dependencies security checkpip-audit:
|
| Package | Pin | Latest on PyPI | Status |
|---|---|---|---|
| PySide6 | PySide6>=6.11.1 |
6.11.1 |
up-to-date |
| pypdf | pypdf>=6.14.2 |
6.14.2 |
up-to-date |
| cryptography | cryptography>=49.0.0 |
49.0.0 |
up-to-date |
| qtawesome | qtawesome>=1.4.1 |
1.4.2 |
outdated |
| pillow | pillow>=12.1.1 |
12.3.0 |
outdated |
| pymupdf | pymupdf>=1.27.2.3 |
1.28.0 |
outdated |
| pytesseract | pytesseract>=0.3.13 |
0.3.13 |
up-to-date |
| python-docx | python-docx>=1.2.0 |
1.2.0 |
up-to-date |
| python-pptx | python-pptx>=1.0.2 |
1.0.2 |
up-to-date |
| openpyxl | openpyxl>=3.1.5 |
3.1.5 |
up-to-date |
| beautifulsoup4 | beautifulsoup4>=4.15.0 |
4.15.0 |
up-to-date |
| ebooklib | ebooklib>=0.20 |
0.20 |
up-to-date |
| lxml | lxml>=6.1.1 |
6.1.1 |
up-to-date |
| urllib3 | urllib3>=2.7.0 |
2.7.0 |
up-to-date |
| idna | idna>=3.18 |
3.18 |
up-to-date |
| pyinstaller | pyinstaller>=6.21.0 |
6.21.0 |
up-to-date |
Auto-generated by security-deps workflow. Merge is blocked only when pip-audit --strict reports vulnerabilities.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a CI workflow that runs
pip-auditagainstrequirements.txtandflatpak/requirements-pinned.txton every PR that touches those files, plus weekly cron and manual dispatch. Fails the build if any known vulnerability is found (blocks merge). Also posts an informational comment on the PR summarizing findings + outdated packages.Trigger
pull_requeston changes torequirements.txt/flatpak/requirements-pinned.txt/ workflow filepushtomainon same pathsgh workflow run security-deps.ymlBehavior
pip-audit --strictstep fails on any vulnerability → merge blockedcontinue-on-error: trueso the strict gate runs even when the token is read-only on fork PRsFiles
.github/workflows/security-deps.yml(new, 205 lines) — workflow itselftests/test_security_deps_workflow.py(new, 12 tests) — regression coverageCONTRIBUTING.md(+18 lines) — user-facing docsActions pinned
Uses only official
actions/*(no third-party marketplace deps in a security workflow):actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0(v7.0.0)actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1(v6.3.0)Both SHAs match the pinning already used in
build.yml/codeql.yml/publish.yml/release.ymlfor consistency.pip-audititself pinned to==2.10.1inside the workflow to avoid a race with a future pip-audit release changing exit-code semantics.PR comment via
ghCLINo third-party comment action. Uses
gh apito find an existing comment by section-heading marker, thengh api ... -X PATCHto update it (orgh pr commentto create). Avoids marketplace supply chain surface for a workflow explicitly guarding against supply-chain risk.Adversarial review
Review found and fixed:
pull-requests: write. Comment step failed with 403 → strict gate skipped by defaultif: success(). Fixed by addingcontinue-on-error: trueto the comment step so the gate always runs. New regression test enforces this.pip-auditto a specific version.Complements Dependabot
Also catches CVEs in transitives outside
requirements.txt(urllib3, certifi, etc.) if they surface throughpip-audit.Validation
tests/test_security_deps_workflow.py→ 12 passedyaml.safe_loadAPP_VERSIONbumprequirements.txtAfter merge
The workflow starts running on the next PR that touches
requirements.txt. Weekly cron picks up CVEs published without repo changes.