name: Security Audit
on:
schedule:
# Run security audit daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual trigger
jobs:
security-audit:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run pip-audit
run: pip-audit --format json --output audit-report.json
continue-on-error: true
- name: Upload audit report
uses: actions/upload-artifact@v4
if: always()
with:
name: security-audit-report
path: audit-report.json
retention-days: 30
- name: Check for vulnerabilities
run: pip-audit
- name: Create issue on failure
if: failure()
uses: actions/github-script@v7
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Security vulnerabilities detected',
body: 'The scheduled security audit has detected vulnerabilities. Please review the audit report in the workflow artifacts.',
labels: ['security', 'dependencies']
})
