Skip to content

pip-audit brew packages #1099

pip-audit brew packages

pip-audit brew packages #1099

Workflow file for this run

name: pip-audit brew packages
on:
workflow_dispatch:
schedule:
- cron: '0 8 * * *'
jobs:
audit:
runs-on: macos-latest
permissions:
# NOTE: Needed to push to the repository.
contents: write
outputs:
auto-pr-ref: ${{ steps.commit.outputs.auto-pr-ref }}
steps:
- name: Check out this repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
# credentials intentionally persisted for git operations below
persist-credentials: true
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: "3.x"
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
core: true
cask: false
test-bot: false
- name: Configure Homebrew, install dependencies
run: |
brew developer on
brew install osv-scanner
brew untap --force hashicorp/tap || true
- run: brew ruby formula2requirements.rb
env:
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_INSTALL_FROM_API: 1
HOMEBREW_EVAL_ALL: 1
- run: python3 pip-audit-bulk
- name: Commit and push if it changed
id: commit
run: |-
git config user.name "github.actions"
git config user.email "[email protected]"
git add -A
timestamp=$(date -u)
git commit -m "Latest data: ${timestamp}" || exit 0
echo "auto-pr-ref=$(git rev-parse HEAD)" >> "${GITHUB_OUTPUT}"
git push
auto-pr:
needs: [audit]
uses: ./.github/workflows/auto-pr.yml
secrets: inherit
with:
# NOTE: Without this, the reusable workflow will checkout
# the GITHUB_REF from the caller workflow, i.e. the commit
# right before our push above.
ref: ${{ needs.audit.outputs.auto-pr-ref }}