From b5ec1678067dee10c20465434eeaf59b12e65c47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?= Date: Fri, 10 Jul 2026 05:20:02 +0300 Subject: [PATCH 1/3] ci(audit): drop stale nltk advisory ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GHSA-p4gq-832x-fm9v matches nothing since the nltk 3.10.0 bump in PR #129; uv audit warns about the dangling ignore on every run. Signed-off-by: Nerijus Bendžiūnas --- .github/workflows/security-audit.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 35ac704..896ce10 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -19,6 +19,4 @@ jobs: # yamllint disable-line rule:line-length uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Audit dependencies - run: >- - uv audit --frozen --preview-features audit-command - --ignore-until-fixed GHSA-p4gq-832x-fm9v + run: uv audit --frozen --preview-features audit-command From 739f894ace3f7cd4769fe947b6d2449299bb7c50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?= Date: Fri, 10 Jul 2026 05:22:52 +0300 Subject: [PATCH 2/3] ci(audit): open an issue when the scheduled audit fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 2026-07-07 scheduled failure sat unseen in the Actions tab until PR #128 tripped over the same advisories. Signed-off-by: Nerijus Bendžiūnas --- .github/workflows/security-audit.yml | 49 +++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 896ce10..79be474 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -9,6 +9,9 @@ permissions: jobs: audit: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Checkout code # yamllint disable-line rule:line-length @@ -19,4 +22,48 @@ jobs: # yamllint disable-line rule:line-length uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Audit dependencies - run: uv audit --frozen --preview-features audit-command + run: | + set -o pipefail + uv audit --frozen --preview-features audit-command 2>&1 | + tee audit.log + - name: Report failure in a tracking issue + if: failure() && github.event_name == 'schedule' + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + run: | + run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" + run_url="$run_url/actions/runs/$GITHUB_RUN_ID" + { + echo "Scheduled security audit failed: $run_url" + echo + echo '```' + cat audit.log + echo '```' + echo + echo '' + } > issue-body.md + issue=$(gh issue list --state open \ + --search 'Security audit failing in:title' \ + --json number --jq '.[0].number') + if [ -n "$issue" ]; then + gh issue comment "$issue" --body-file issue-body.md + else + gh issue create --title "Security audit failing" \ + --body-file issue-body.md + fi + - name: Close the tracking issue + if: success() && github.event_name == 'schedule' + env: + GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + run: |- + run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" + run_url="$run_url/actions/runs/$GITHUB_RUN_ID" + issue=$(gh issue list --state open \ + --search 'Security audit failing in:title' \ + --json number --jq '.[0].number') + if [ -n "$issue" ]; then + gh issue close "$issue" \ + --comment "Scheduled security audit is green again: $run_url" + fi From 7a74d2b10cbe8a28b56abb3dcc33ee721a67395d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?= Date: Fri, 10 Jul 2026 05:23:20 +0300 Subject: [PATCH 3/3] ci(audit): run the scheduled audit daily MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Weekly left up to a six-day window between a published advisory and its detection; issue-based notification makes the extra runs free to act on. Signed-off-by: Nerijus Bendžiūnas --- .github/workflows/security-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 79be474..5c864f8 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -3,7 +3,7 @@ name: Security Audit on: # yamllint disable-line rule:truthy pull_request: schedule: - - cron: 13 3 * * 2 + - cron: 13 3 * * * permissions: contents: read jobs: