GitHub Actions do not support yaml anchors (yet!)

inab · Jan 20, 2025 · fa8151d · fa8151d
1 parent 314f8b0
commit fa8151d
Showing 1 changed file with 54 additions and 2 deletions.
diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml
@@ -12,7 +12,7 @@ jobs:
       matrix:
         python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ]
     name: pip-audit python ${{ matrix.python-version }}
-    steps:  &idsteps
+    steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
@@ -72,7 +72,59 @@ jobs:
       matrix:
         python-version: [ "3.7" ]
     name: pip-audit python ${{ matrix.python-version }}
-    steps:  *idsteps
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: |
+            requirements.txt
+          architecture: x64
+      - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})'
+        run: |
+          python -mvenv /tmp/PIPAUDIT
+          source /tmp/PIPAUDIT/bin/activate
+          pip install --upgrade pip wheel
+          pip install pip-audit
+#      - name: 'Freeze Python ${{ matrix.python-version }} constraints'
+#        run: |
+#          pip freeze > constraints-${{ matrix.python-version }}.txt
+      - id: gen-cve-output
+        run: |
+          source /tmp/PIPAUDIT/bin/activate
+          set +e
+          pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md
+          refreeze=$?
+          set -e
+          
+          if [ "$refreeze" != 0 ] ; then
+            deactivate
+            python -mvenv /tmp/PIPFREEZE
+            source /tmp/PIPFREEZE/bin/activate
+            pip install --upgrade pip wheel
+            pip install -r requirements.txt
+            pip freeze > constraints-${{ matrix.python-version }}.txt
+            
+            # Re-audit the populated environment
+            deactivate
+            source /tmp/PIPAUDIT/bin/activate
+            set +e
+            pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md
+            auditres=$?
+            set -e
+            
+            if [ "$auditres" = 0 ] ; then
+              (echo "# Fixed issues" ; cat /tmp/report-before.md) >> "$GITHUB_STEP_SUMMARY"
+            else
+              # Time to emit the report
+              (echo "# Issues not solved" ; cat /tmp/report-after.md) >> "$GITHUB_STEP_SUMMARY"              
+            fi
+          fi
+      - uses: actions/upload-artifact@v3
+        with:
+          retention-days: 2
+          path: constraints-${{ matrix.python-version }}.txt
 
   pull_request_changes:
     # Do this only when it is not a pull request validation