From a5e43534c0cf35dcebf0f0fd83a22e8d916eda83 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 13 May 2026 13:39:16 +0000 Subject: [PATCH 1/3] =?UTF-8?q?=E2=9C=A8=20Add=20audit=5Fin=5Fci=20copier?= =?UTF-8?q?=20option,=20default=20off?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Make pip-audit in CI opt-in. Default (false) drops the pip-audit step from ci.yml and the pip-audit job from weekly-ci.yml -- rely on GitHub Dependabot alerts and run `just deps-audit` locally instead. When enabled, audit runs on the full locked set without filing an issue on failure; the failed workflow run is the signal. --- copier.yml | 7 +++ project_name/.github/workflows/ci.yml.jinja | 2 + .../.github/workflows/weekly-ci.yml.jinja | 53 ++----------------- 3 files changed, 12 insertions(+), 50 deletions(-) diff --git a/copier.yml b/copier.yml index 040f513..041e5a8 100644 --- a/copier.yml +++ b/copier.yml @@ -136,6 +136,13 @@ format_tool: default: black choices: [black, ruff] +audit_in_ci: + type: bool + help: >- + Run pip-audit on the full locked set in CI? If no, rely on GitHub + Dependabot alerts and run `just deps-audit` locally. + default: false + in_pypi: type: bool help: Did you upload the package to PyPI? diff --git a/project_name/.github/workflows/ci.yml.jinja b/project_name/.github/workflows/ci.yml.jinja index fc81508..c2b5c88 100644 --- a/project_name/.github/workflows/ci.yml.jinja +++ b/project_name/.github/workflows/ci.yml.jinja @@ -99,9 +99,11 @@ jobs: run: uv pip list - name: Run deptry run: uv run --no-sync --with deptry -- deptry src/ + {%- if audit_in_ci %} - name: Run pip-audit run: >- uv run --no-sync --with pip-audit -- pip-audit --skip-editable + {%- endif %} test: diff --git a/project_name/.github/workflows/weekly-ci.yml.jinja b/project_name/.github/workflows/weekly-ci.yml.jinja index 7add2ac..c23ef17 100644 --- a/project_name/.github/workflows/weekly-ci.yml.jinja +++ b/project_name/.github/workflows/weekly-ci.yml.jinja @@ -90,11 +90,11 @@ jobs: await core.notice(`Created issue ${issue.data.html_url}`); } +{%- if audit_in_ci %} + pip-audit: runs-on: ubuntu-latest timeout-minutes: 10 - permissions: - issues: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -115,51 +115,4 @@ jobs: with: inputs: requirements.txt require-hashes: true - - name: Create failure issue - if: failure() - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 - with: - script: | - // Check for existing audit failure issues - const existingIssues = await github.rest.issues.listForRepo({ - owner: context.repo.owner, - repo: context.repo.repo, - state: 'open', - labels: 'scheduled-ci-audit', - per_page: 10 - }); - - if (existingIssues.data.length > 0) { - // Update existing issue instead of creating new one - const existingIssue = existingIssues.data[0]; - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: existingIssue.number, - body: `Another audit failure occurred on ${context.sha.substring(0, 7)}, see the [workflow run](${context.payload.repository.html_url}/actions/runs/${context.runId})` - }); - await core.notice(`Updated existing issue ${existingIssue.html_url}`); - - } else { - // Create new issue - const issue = await github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: `Scheduled CI Audit Failed - ${new Date().toISOString().split('T')[0]}`, - body: `The scheduled CI audit check failed on ${context.sha.substring(0, 7)}. - - **Failed Jobs:** - - Check the [workflow run](${context.payload.repository.html_url}/actions/runs/${context.runId}) - - **Likely Causes:** - - New security vulnerabilities detected by pip-audit - - **Next Steps:** - - Review the logs above - - Update locked dependencies - - Re-run the workflow to verify fixes`, - labels: ['scheduled-ci-audit'], - assignees: [context.repo.owner], - }); - await core.notice(`Created issue ${issue.data.html_url}`); - } +{%- endif %} From 2d8a43ad874bc67a15dee4e95cf15409ca95408b Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 14 May 2026 10:17:15 +0000 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=94=A5=20Drop=20weekly=20pip-audit=20?= =?UTF-8?q?job,=20clarify=20audit=5Fin=5Fci=20help?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The weekly pip-audit job re-ran against an unchanged lockfile and generated noisy issues whenever a new CVE was disclosed. Remove it entirely; the per-PR/push audit step (still gated by audit_in_ci) already covers actual dependency changes. Expand the option's help text to note that the audit only covers locked deps, which are irrelevant to downstream consumers. --- copier.yml | 7 +++-- .../.github/workflows/weekly-ci.yml.jinja | 27 ------------------- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/copier.yml b/copier.yml index 041e5a8..032e06e 100644 --- a/copier.yml +++ b/copier.yml @@ -139,8 +139,11 @@ format_tool: audit_in_ci: type: bool help: >- - Run pip-audit on the full locked set in CI? If no, rely on GitHub - Dependabot alerts and run `just deps-audit` locally. + Run pip-audit in CI? It audits the locked dependencies, which only + affect this repo's developers and CI -- downstream consumers resolve + their own deps, so the audit is mostly relevant for developer safety. + If no, rely on GitHub Dependabot alerts and run `just deps-audit` + locally. default: false in_pypi: diff --git a/project_name/.github/workflows/weekly-ci.yml.jinja b/project_name/.github/workflows/weekly-ci.yml.jinja index c23ef17..3c944aa 100644 --- a/project_name/.github/workflows/weekly-ci.yml.jinja +++ b/project_name/.github/workflows/weekly-ci.yml.jinja @@ -89,30 +89,3 @@ jobs: }); await core.notice(`Created issue ${issue.data.html_url}`); } - -{%- if audit_in_ci %} - - pip-audit: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - persist-credentials: false - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - with: - cache-suffix: pip-audit - - name: Export packages - run: >- - uv export - --all-packages - --all-extras - --all-groups - -o requirements.txt - --no-emit-local - --locked - - uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 - with: - inputs: requirements.txt - require-hashes: true -{%- endif %} From be868dc3039723d8c859450c185ff7c0392ad81a Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 14 May 2026 10:20:41 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Scope=20audit=5Fin=5Fc?= =?UTF-8?q?i=20to=20the=20weekly=20job?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The per-PR/push pip-audit step in ci.yml only fires when the lockfile changes, so it's cheap and accurate -- keep it always on. The weekly audit re-scans an unchanged lockfile against newly-disclosed CVEs and is the noisy one; gate that behind audit_in_ci instead. Drop its issue-creation step (failed workflow run is the signal). --- copier.yml | 10 +++---- project_name/.github/workflows/ci.yml.jinja | 2 -- .../.github/workflows/weekly-ci.yml.jinja | 26 +++++++++++++++++++ 3 files changed, 31 insertions(+), 7 deletions(-) diff --git a/copier.yml b/copier.yml index 032e06e..d45c9ab 100644 --- a/copier.yml +++ b/copier.yml @@ -139,11 +139,11 @@ format_tool: audit_in_ci: type: bool help: >- - Run pip-audit in CI? It audits the locked dependencies, which only - affect this repo's developers and CI -- downstream consumers resolve - their own deps, so the audit is mostly relevant for developer safety. - If no, rely on GitHub Dependabot alerts and run `just deps-audit` - locally. + Run pip-audit in weekly CI? It audits the locked dependencies, which + only affect this repo's developers and CI -- downstream consumers + resolve their own deps, so the audit is mostly relevant for developer + safety. GitHub Dependabot alerts and `just deps-audit` are always + available. default: false in_pypi: diff --git a/project_name/.github/workflows/ci.yml.jinja b/project_name/.github/workflows/ci.yml.jinja index c2b5c88..fc81508 100644 --- a/project_name/.github/workflows/ci.yml.jinja +++ b/project_name/.github/workflows/ci.yml.jinja @@ -99,11 +99,9 @@ jobs: run: uv pip list - name: Run deptry run: uv run --no-sync --with deptry -- deptry src/ - {%- if audit_in_ci %} - name: Run pip-audit run: >- uv run --no-sync --with pip-audit -- pip-audit --skip-editable - {%- endif %} test: diff --git a/project_name/.github/workflows/weekly-ci.yml.jinja b/project_name/.github/workflows/weekly-ci.yml.jinja index 3c944aa..b915760 100644 --- a/project_name/.github/workflows/weekly-ci.yml.jinja +++ b/project_name/.github/workflows/weekly-ci.yml.jinja @@ -89,3 +89,29 @@ jobs: }); await core.notice(`Created issue ${issue.data.html_url}`); } +{%- if audit_in_ci %} + + pip-audit: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + cache-suffix: pip-audit + - name: Export packages + run: >- + uv export + --all-packages + --all-extras + --all-groups + -o requirements.txt + --no-emit-local + --locked + - uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 + with: + inputs: requirements.txt + require-hashes: true +{%- endif %}