Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions .github/workflows/gh-pages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,12 @@

jobs:
prepare:
name: Prepare Poetry & Assured OSS
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
name: Prepare uv & Assured OSS
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

docs:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
name: Build & Deploy Docs
needs: prepare
runs-on: ubuntu-22.04
Expand All @@ -39,11 +37,21 @@
- name: Checkout repo
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Build & collect docs via Nox
run: poetry run nox -s build_docs
run: uv run nox -s build_docs

- name: Deploy to GitHub Pages
uses: peaceiris/actions-gh-pages@v4
Expand Down
34 changes: 26 additions & 8 deletions .github/workflows/license.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,8 @@ permissions:

jobs:
prepare:
name: Prepare Poetry & Assured OSS
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
name: Prepare uv & Assured OSS
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

Expand All @@ -49,11 +47,21 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Run license_report session
run: poetry run nox -s license_report
run: uv run nox -s license_report

- name: Upload license report artifacts
uses: actions/upload-artifact@v4
Expand All @@ -74,10 +82,20 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Run comment_violations session
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: poetry run nox -s comment_violations
run: uv run nox -s comment_violations
84 changes: 0 additions & 84 deletions .github/workflows/prepare-poetry.yml

This file was deleted.

47 changes: 47 additions & 0 deletions .github/workflows/prepare-uv.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Prepare uv Environment

on:
workflow_call:
secrets:
GCP_SA_JSON:
description: "Service account JSON for Google Artifact Registry"
required: true

permissions:
contents: read

jobs:
setup:
runs-on: ubuntu-latest

# Route uv installs through Assured OSS, falling back to PyPI
env:
UV_INDEX_URL: https://_json_key_base64:${{ secrets.GCP_SA_JSON }}@us-python.pkg.dev/cloud-aoss/cloud-aoss-python/simple
UV_EXTRA_INDEX_URL: https://pypi.org/simple

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@v2.12
with:
egress-policy: audit

- name: Check out repository
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Authenticate to Google Artifact Registry
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_SA_JSON }}

- name: Install Dependencies
run: uv sync --all-extras --frozen

- name: Export Dev Requirements
run: uv export --only-group dev --no-hashes --format requirements-txt --output-file dev-requirements.txt
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
20 changes: 14 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,8 @@ permissions:

jobs:
prepare:
name: Prepare Poetry & Assured OSS
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
name: Prepare uv & Assured OSS
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

Expand All @@ -44,11 +42,21 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Run Semantic-Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
run: poetry run semantic-release publish
run: uv run semantic-release publish
20 changes: 14 additions & 6 deletions .github/workflows/sbom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,9 @@ permissions:
security-events: write

jobs:
# 1. Prepare Poetry & Assured OSS environment (with caching)
# 1. Prepare uv & Assured OSS environment (with caching)
prepare:
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

Expand All @@ -45,8 +43,18 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
Expand All @@ -58,7 +66,7 @@ jobs:
| sh -s -- -b /usr/local/bin

- name: Run SBOM Validate via Poetry
run: poetry run nox -s sbom_validate
run: uv run nox -s sbom_validate

- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
Expand Down
20 changes: 14 additions & 6 deletions .github/workflows/security-pip-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,7 @@ permissions:

jobs:
prepare:
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

Expand All @@ -58,23 +56,33 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Install jq for JSON parsing
run: |
sudo apt-get update && sudo apt-get install -y jq

- name: Run pip-audit scan (JSON)
run: |
poetry run pip-audit \
uv run pip-audit \
--requirement "${{ matrix.target.req }}" \
--format json \
--output "${{ matrix.target.name }}.json"

- name: Convert JSON → SARIF
run: |
poetry run sarif summary "${{ matrix.target.name }}.json" --format sarif \
uv run sarif summary "${{ matrix.target.name }}.json" --format sarif \
> "${{ matrix.target.name }}.sarif"

- name: Upload JSON report
Expand Down
22 changes: 15 additions & 7 deletions .github/workflows/security-semgrep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,8 @@ env:

jobs:
prepare:
name: Prepare Poetry & Assured OSS
uses: ./.github/workflows/templates/prepare-poetry.yml
with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
name: Prepare uv & Assured OSS
uses: ./.github/workflows/prepare-uv.yml
secrets:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

Expand All @@ -52,15 +50,25 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"
enable-cache: true
cache-dependency-glob: "uv.lock"

- name: Install dependencies
run: uv sync --frozen

- name: Verify no public PyPI fallbacks
run: poetry run nox -s verify_assured
run: uv run nox -s verify_assured

- name: Run Semgrep session
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
poetry run nox -s semgrep_ci
uv run nox -s semgrep_ci
else
poetry run nox -s semgrep_full
uv run nox -s semgrep_full
fi

- name: Upload Semgrep SARIF (PR only)
Expand Down
Loading
Loading