Skip to content

fix(ci): stop pip-audit --strict failing Security on the editable self-install#89

Merged
ascender1729 merged 1 commit into
mainfrom
fix/pip-audit-strict
May 27, 2026
Merged

fix(ci): stop pip-audit --strict failing Security on the editable self-install#89
ascender1729 merged 1 commit into
mainfrom
fix/pip-audit-strict

Conversation

@ascender1729

Copy link
Copy Markdown
Member

Security went red on main after #86 with ERROR: attestix: distribution marked as editable. --strict fails on any un-auditable dependency, and an editable self-install can never be audited (errors even with --skip-editable). Dropping --strict keeps enforcement of real dependency vulns (pip-audit still exits non-zero on actual CVEs) without failing on the local package. No real vulnerabilities were present.

…ailing Security on main

pip-audit --strict fails on any dependency it cannot audit, and an editable self-install (pip install -e .) can never be audited — it errors even with --skip-editable. Dropping --strict keeps the enforced behaviour we actually want: pip-audit still exits non-zero on any real dependency vulnerability, but no longer fails on the un-auditable local package. Fixes the Security workflow red on main after #86.
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@ascender1729, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 10 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3ac04603-0489-4181-99e3-8089c7a9fd1e

📥 Commits

Reviewing files that changed from the base of the PR and between 7ad0b47 and c3a8505.

📒 Files selected for processing (1)
  • .github/workflows/security.yml

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)
Validation error: Unrecognized key: "ignore"
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pip-audit-strict

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying attestix with  Cloudflare Pages  Cloudflare Pages

Latest commit: c3a8505
Status: ✅  Deploy successful!
Preview URL: https://2b68df9c.attestix.pages.dev
Branch Preview URL: https://fix-pip-audit-strict.attestix.pages.dev

View logs

@ascender1729 ascender1729 merged commit 9038891 into main May 27, 2026
19 checks passed
@ascender1729 ascender1729 deleted the fix/pip-audit-strict branch May 27, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant