fix: enable safety.yml in the GitHub workflow for all pull requests associated with main, and not keep using the pull_request_target

nshalabh · nshalabh · commit 174adb00d3c9 · 2025-11-19T12:16:00.000-06:00
diff --git a/.github/workflows/safety.yml b/.github/workflows/safety.yml
@@ -1,4 +1,4 @@
-name: safety - Python Dependency Check (Overridden)
+name: safety - Python Dependency Check
 
 on:
   pull_request:
@@ -7,11 +7,58 @@ on:
   push:
 
 jobs:
-  Safety-Override:
+  Linting:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        python-version: [3.12]
     steps:
-      - name: Override original safety check
+      #----------------------------------------------
+      #       check-out repo and set-up python
+      #----------------------------------------------
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Set up python
+        id: setup-python
+        uses: actions/setup-python@v3
+        with:
+          python-version: 3.12
+      #----------------------------------------------
+      #  -----  install & configure poetry  -----
+      #----------------------------------------------
+      - name: Load Cached Poetry Installation
+        uses: actions/cache@v3
+        with:
+          path: ~/.local # the path depends on the OS
+          key: poetry-no-dev-2 # increment to reset cache
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      #----------------------------------------------
+      #       load cached venv if cache exists
+      #----------------------------------------------
+      - name: Load cached venv
+        id: cached-poetry-no-dev-dependencies
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-no-dev-dependencies-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      #----------------------------------------------
+      # install dependencies if cache does not exist
+      #----------------------------------------------
+      - name: Install dependencies
+        if: steps.cached-poetry-no-dev-dependencies.outputs.cache-hit != 'true'
+        run: poetry install --only main --no-root
+      #----------------------------------------------
+      # Run Safety scan
+      #----------------------------------------------
+      - name: Safety scan
+        env:
+          API_KEY: ${{secrets.SAFETY_API_KEY}}
         run: |
-          echo "Safety check overridden - vulnerabilities 66742 and 77744 are addressed in pyproject.toml"
-          echo "black==24.3.0 and urllib3==2.5.0 resolve the security issues"
-          exit 0
+          poetry run pip install safety
+          poetry run safety --key "$API_KEY" --stage cicd scan
