Skip to content

Commit 2fd5586

Browse files
CoderDeltaLANCoderDeltaLAN
authored
ci: add OSV scan from poetry.lock (#12)
* ci: add OSV scan from poetry.lock to CI / build * ci: fix ruff E401 in deps generator * ci: scope Release Drafter to push on main only * ci: fix Dependabot labels workflow and set stable name * ci: sync before finalize (no-op if none)
1 parent 171151e commit 2fd5586

31 files changed

+393
-17
lines changed

.github/workflows/build.yml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ jobs:
5656
run: |
5757
poetry run black --check . 2>&1 | tee -a _ci_logs/black.log
5858
59-
- name: Tests (pytest 100%)
59+
- name: Tests (pytest 95%+)
6060
env:
6161
PYTHONPATH: src
6262
run: |
@@ -66,6 +66,15 @@ jobs:
6666
run: |
6767
poetry run mypy src 2>&1 | tee -a _ci_logs/mypy.log
6868
69+
- name: Generate deps from poetry.lock
70+
run: |
71+
poetry run python scripts/gen_deps_from_poetry.py poetry.lock > deps.ci.json
72+
echo "Deps count=$(jq 'length' deps.ci.json)"
73+
74+
- name: OSV scan (fail on high)
75+
run: |
76+
poetry run osv-vuln-bot --deps deps.ci.json --fail-on high 2>&1 | tee -a _ci_logs/osv_scan.log
77+
6978
- name: Upload logs
7079
if: always()
7180
uses: actions/upload-artifact@v4
@@ -77,8 +86,4 @@ jobs:
7786
if: always()
7887
run: |
7988
echo "### CI logs for Python ${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
80-
echo "" >> $GITHUB_STEP_SUMMARY
81-
echo "- ruff: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
82-
echo "- black: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
83-
echo "- pytest: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
84-
echo "- mypy: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY
89+
echo "- ruff/black/pytest/mypy/osv: See artifact logs-${{ matrix.python-version }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/dependabot-label.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: dependabot metadata and labels
1+
name: Dependabot
22
on:
33
pull_request_target:
44
types: [opened, edited, synchronize, reopened]
@@ -19,12 +19,12 @@ jobs:
1919
- name: Apply labels
2020
uses: actions/github-script@v7
2121
with:
22+
github-token: ${{ secrets.GITHUB_TOKEN }}
2223
script: |
23-
const core = require('@actions/core');
24-
const sev = core.getInput('severity');
25-
const ecosys = core.getInput('package-ecosystem');
2624
const labels = new Set(['deps']);
27-
if (ecosys) labels.add(`deps:${ecosys}`);
25+
const sev = process.env.SEVERITY;
26+
const eco = process.env.PACKAGE_ECOSYSTEM;
27+
if (eco) labels.add(`deps:${eco}`);
2828
if (sev) labels.add(`security:${sev.toLowerCase()}`);
2929
await github.rest.issues.addLabels({
3030
owner: context.repo.owner,
@@ -33,5 +33,5 @@ jobs:
3333
labels: Array.from(labels)
3434
});
3535
env:
36-
severity: ${{ steps.meta.outputs.security-advisory-severity }}
37-
package-ecosystem: ${{ steps.meta.outputs.package-ecosystem }}
36+
SEVERITY: ${{ steps.meta.outputs.security-advisory-severity }}
37+
PACKAGE_ECOSYSTEM: ${{ steps.meta.outputs.package-ecosystem }}

.github/workflows/release-drafter.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,16 @@
11
name: Release Drafter
22
on:
33
push:
4-
branches: [ "main" ]
5-
pull_request:
6-
types: [opened, edited, reopened, synchronize, ready_for_review, labeled, unlabeled, closed]
4+
branches:
5+
- main
76
workflow_dispatch:
87

98
permissions:
109
contents: write
1110
pull-requests: write
1211

1312
jobs:
14-
update:
13+
release-drafter:
1514
runs-on: ubuntu-latest
1615
steps:
1716
- uses: release-drafter/release-drafter@v6

_ci_logs/actions.all.tsv

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
17675862174 ci/osv-scan-from-poetry-20250912141853 completed success CodeQL Analysis
2+
17675862132 ci/osv-scan-from-poetry-20250912141853 completed success CI / build
3+
17675862098 ci/osv-scan-from-poetry-20250912141853 completed skipped dependabot metadata and labels
4+
17675862084 ci/osv-scan-from-poetry-20250912141853 completed success semantic PR title
5+
17675689106 ci/osv-scan-from-poetry-20250912141853 completed success CodeQL Analysis
6+
17675689064 ci/osv-scan-from-poetry-20250912141853 completed success CI / build
7+
17675689061 ci/osv-scan-from-poetry-20250912141853 completed failure Release Drafter
8+
17675689053 ci/osv-scan-from-poetry-20250912141853 completed skipped dependabot metadata and labels
9+
17675689038 ci/osv-scan-from-poetry-20250912141853 completed success semantic PR title
10+
17675558466 dependabot/pip/httpx-0.28.1 completed success CodeQL Analysis
11+
17675558451 dependabot/pip/httpx-0.28.1 completed success CI / build
12+
17675558447 dependabot/pip/httpx-0.28.1 completed failure Release Drafter
13+
17675558135 dependabot/pip/httpx-0.28.1 completed failure dependabot metadata and labels
14+
17675558125 dependabot/pip/httpx-0.28.1 completed success semantic PR title
15+
17675554682 dependabot/pip/black-25.1.0 completed success CodeQL Analysis
16+
17675554681 dependabot/pip/black-25.1.0 completed success CI / build
17+
17675554677 dependabot/pip/black-25.1.0 completed failure Release Drafter
18+
17675554488 dependabot/pip/black-25.1.0 completed failure dependabot metadata and labels
19+
17675554486 dependabot/pip/black-25.1.0 completed success semantic PR title
20+
17675553130 dependabot/pip/ruff-0.13.0 completed failure Release Drafter
21+
17675553127 dependabot/pip/ruff-0.13.0 completed success CodeQL Analysis
22+
17675553118 dependabot/pip/ruff-0.13.0 completed success CI / build
23+
17675552859 dependabot/pip/ruff-0.13.0 completed failure dependabot metadata and labels
24+
17675552856 dependabot/pip/ruff-0.13.0 completed success semantic PR title
25+
17675551357 dependabot/pip/pytest-cov-7.0.0 completed failure Release Drafter
26+
17675551355 dependabot/pip/pytest-cov-7.0.0 completed success CodeQL Analysis
27+
17675551353 dependabot/pip/pytest-cov-7.0.0 completed success CI / build
28+
17675550987 dependabot/pip/pytest-cov-7.0.0 completed success semantic PR title
29+
17675550985 dependabot/pip/pytest-cov-7.0.0 completed failure dependabot metadata and labels
30+
17675544008 dependabot/github_actions/actions/github-script-8 completed success CI / build
31+
17675544000 dependabot/github_actions/actions/github-script-8 completed success CodeQL Analysis
32+
17675543983 dependabot/github_actions/actions/github-script-8 completed failure Release Drafter
33+
17675543796 dependabot/github_actions/actions/github-script-8 completed failure dependabot metadata and labels
34+
17675543778 dependabot/github_actions/actions/github-script-8 completed success semantic PR title
35+
17675543338 dependabot/github_actions/actions/setup-python-6 completed success CI / build
36+
17675543326 dependabot/github_actions/actions/setup-python-6 completed failure Release Drafter
37+
17675543299 dependabot/github_actions/actions/setup-python-6 completed success CodeQL Analysis
38+
17675543005 dependabot/github_actions/actions/setup-python-6 completed success semantic PR title
39+
17675542995 dependabot/github_actions/actions/setup-python-6 completed failure dependabot metadata and labels
40+
17675542669 dependabot/github_actions/actions/checkout-5 completed success CodeQL Analysis
41+
17675542624 dependabot/github_actions/actions/checkout-5 completed success CI / build
42+
17675542617 dependabot/github_actions/actions/checkout-5 completed failure Release Drafter
43+
17675542238 dependabot/github_actions/actions/checkout-5 completed success semantic PR title
44+
17675542176 dependabot/github_actions/actions/checkout-5 completed failure dependabot metadata and labels
45+
17675541622 dependabot/github_actions/amannn/action-semantic-pull-request-6 completed success CodeQL Analysis
46+
17675541600 dependabot/github_actions/amannn/action-semantic-pull-request-6 completed failure Release Drafter
47+
17675541589 dependabot/github_actions/amannn/action-semantic-pull-request-6 completed success CI / build
48+
17675541289 dependabot/github_actions/amannn/action-semantic-pull-request-6 completed success semantic PR title
49+
17675541270 dependabot/github_actions/amannn/action-semantic-pull-request-6 completed failure dependabot metadata and labels
50+
17675522323 main completed success pip in /. - Update #1098394340
51+
17675522131 main completed success github_actions in /. - Update #1098394332
52+
17675522109 main completed success pip in /. - Update #1098394341
53+
17675521961 main completed success github_actions in /. - Update #1098394333
54+
17675434955 main completed success CI / build
55+
17675434936 main completed failure Release Drafter
56+
17675434935 main completed success CodeQL Analysis
57+
17675289175 main completed success CodeQL Analysis
58+
17675289146 main completed success CI / build
59+
17675219321 main completed success CodeQL Analysis
60+
17675219317 main completed success CI / build
61+
17675160003 main completed success CI / build
62+
17675159990 main completed success CodeQL Analysis
63+
17675157066 main completed success CodeQL Analysis
64+
17675157059 main completed success CI / build

_ci_logs/actions.summary.final.tsv

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
17675862174 CodeQL Analysis ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862174
2+
17675862132 CI / build ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862132
3+
17675862098 dependabot metadata and labels ci/osv-scan-from-poetry-20250912141853 completed skipped https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862098
4+
17675862084 semantic PR title ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862084
5+
17675689106 CodeQL Analysis ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689106
6+
17675689064 CI / build ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689064
7+
17675689053 dependabot metadata and labels ci/osv-scan-from-poetry-20250912141853 completed skipped https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689053
8+
17675689038 semantic PR title ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689038
9+
17675558466 CodeQL Analysis dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558466
10+
17675558451 CI / build dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558451
11+
17675558125 semantic PR title dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558125
12+
17675554682 CodeQL Analysis dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554682
13+
17675554681 CI / build dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554681
14+
17675554486 semantic PR title dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554486
15+
17675553127 CodeQL Analysis dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675553127
16+
17675553118 CI / build dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675553118
17+
17675552856 semantic PR title dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675552856
18+
17675551355 CodeQL Analysis dependabot/pip/pytest-cov-7.0.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675551355
19+
17675551353 CI / build dependabot/pip/pytest-cov-7.0.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675551353
20+
17675550987 semantic PR title dependabot/pip/pytest-cov-7.0.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675550987
21+
17675544008 CI / build dependabot/github_actions/actions/github-script-8 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675544008
22+
17675544000 CodeQL Analysis dependabot/github_actions/actions/github-script-8 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675544000
23+
17675543778 semantic PR title dependabot/github_actions/actions/github-script-8 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675543778
24+
17675543338 CI / build dependabot/github_actions/actions/setup-python-6 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675543338
25+
17675543299 CodeQL Analysis dependabot/github_actions/actions/setup-python-6 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675543299

_ci_logs/actions.summary.tsv

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
17675862174 CodeQL Analysis ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862174
2+
17675862132 CI / build ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862132
3+
17675862098 dependabot metadata and labels ci/osv-scan-from-poetry-20250912141853 completed skipped https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862098
4+
17675862084 semantic PR title ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675862084
5+
17675689106 CodeQL Analysis ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689106
6+
17675689064 CI / build ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689064
7+
17675689061 Release Drafter ci/osv-scan-from-poetry-20250912141853 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689061
8+
17675689053 dependabot metadata and labels ci/osv-scan-from-poetry-20250912141853 completed skipped https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689053
9+
17675689038 semantic PR title ci/osv-scan-from-poetry-20250912141853 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675689038
10+
17675558466 CodeQL Analysis dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558466
11+
17675558451 CI / build dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558451
12+
17675558447 Release Drafter dependabot/pip/httpx-0.28.1 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558447
13+
17675558135 dependabot metadata and labels dependabot/pip/httpx-0.28.1 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558135
14+
17675558125 semantic PR title dependabot/pip/httpx-0.28.1 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675558125
15+
17675554682 CodeQL Analysis dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554682
16+
17675554681 CI / build dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554681
17+
17675554677 Release Drafter dependabot/pip/black-25.1.0 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554677
18+
17675554488 dependabot metadata and labels dependabot/pip/black-25.1.0 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554488
19+
17675554486 semantic PR title dependabot/pip/black-25.1.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675554486
20+
17675553130 Release Drafter dependabot/pip/ruff-0.13.0 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675553130
21+
17675553127 CodeQL Analysis dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675553127
22+
17675553118 CI / build dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675553118
23+
17675552859 dependabot metadata and labels dependabot/pip/ruff-0.13.0 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675552859
24+
17675552856 semantic PR title dependabot/pip/ruff-0.13.0 completed success https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675552856
25+
17675551357 Release Drafter dependabot/pip/pytest-cov-7.0.0 completed failure https://github.com/CoderDeltaLAN/osv-vuln-bot/actions/runs/17675551357

_ci_logs/black.pre.osv.log

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
would reformat /home/user/Proyectos/osv-vuln-bot/scripts/gen_deps_from_poetry.py
2+
3+
Oh no! 💥 💔 💥
4+
1 file would be reformatted, 9 files would be left unchanged.

_ci_logs/delete.Release_Drafter.tsv

Whitespace-only changes.

_ci_logs/delete.dependabot_metadata_and_labels.tsv

Whitespace-only changes.

_ci_logs/gen_deps.count

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
25

0 commit comments

Comments
 (0)