chore(deps): bump soupsieve from 2.8.3 to 2.8.4 #112
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security audit on dependencies: known vulnerabilities in Python packages | |
| # https://pip.pypa.io/en/stable/user_guide/#using-pip-audit | |
| # Runs only when dependency files are touched (+ weekly schedule) | |
| name: Security audit (dependencies) | |
| on: | |
| push: | |
| branches: ["**"] | |
| paths: | |
| - "pyproject.toml" | |
| - "poetry.lock" | |
| - "setup.py" | |
| - "setup.cfg" | |
| - "requirements*.txt" | |
| - "constraints*.txt" | |
| - ".github/workflows/security-dependencies.yml" | |
| pull_request: | |
| branches: ["**"] | |
| paths: | |
| - "pyproject.toml" | |
| - "poetry.lock" | |
| - "setup.py" | |
| - "setup.cfg" | |
| - "requirements*.txt" | |
| - "constraints*.txt" | |
| - ".github/workflows/security-dependencies.yml" | |
| schedule: | |
| - cron: '0 0 * * 1' | |
| jobs: | |
| skip_check: | |
| name: Skip duplicate runs | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_skip: ${{ steps.skip.outputs.should_skip }} | |
| steps: | |
| - id: skip | |
| uses: fkirc/skip-duplicate-actions@v5 | |
| with: | |
| concurrent_skipping: "same_content_newer" | |
| skip_after_successful_duplicate: "true" | |
| do_not_skip: '["workflow_dispatch", "schedule", "merge_group"]' | |
| pip-audit: | |
| needs: skip_check | |
| if: needs.skip_check.outputs.should_skip != 'true' | |
| name: pip-audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade "pip>=26.0" | |
| pip install . | |
| - name: Install pip-audit | |
| run: | | |
| pip install pip-audit | |
| - name: Run pip-audit | |
| run: | | |
| echo "" | |
| echo "##############################################################################" | |
| echo "# ⚠️ WARNING: CVE-2024-23342 (ecdsa) IS WHITELISTED IN THIS AUDIT ⚠️ #" | |
| echo "# ecdsa Minerva timing side-channel has NO upstream fix. #" | |
| echo "# python-ecdsa considers side-channel attacks out of scope. #" | |
| echo "# Whitelisted per pymdoccbor documentation — risk is accepted. #" | |
| echo "##############################################################################" | |
| echo "" | |
| pip-audit . --ignore-vuln CVE-2024-23342 | |
| # Optional: OSSF Scorecard for supply-chain security (repo-level) | |
| # Scorecard only supports the default branch (e.g. main) | |
| scorecard: | |
| needs: skip_check | |
| if: needs.skip_check.outputs.should_skip != 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| name: OpenSSF Scorecard | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: read | |
| id-token: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Run OpenSSF Scorecard | |
| uses: ossf/scorecard-action@v2.4.3 | |
| with: | |
| results_file: scorecard-results.json | |
| results_format: json | |
| publish_results: true |