ci: add dependencies audit

Forden · Forden · commit 2ed448d32892 · 2025-03-10T23:11:39.000+03:00
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -1,28 +1,20 @@
-name: "Linting"
+name: Audit
 
 on:
-  push:
-    branches:
-      - master
-      - main
-    paths:
-      - ".github/workflows/linting.yml"
-      - "aiogram_bot_template/**"
-      - "pyproject.toml"
   pull_request:
+    types: [opened, edited, synchronize, reopened]
+    branches:
+      - 'main'
+      - 'master'
+  push:
     branches:
-      - master
-      - main
-    paths:
-      - ".github/workflows/linting.yml"
-      - "aiogram_bot_template/**"
-      - "pyproject.toml"
+      - 'main'
+      - 'master'
+
+run-name: audit - ${{ github.sha }}
 
 jobs:
   build:
-    strategy:
-      fail-fast: false
-
     defaults:
       run:
         shell: bash
@@ -34,23 +26,40 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install poetry
-        run: pip install poetry
+        run: pipx install poetry
 
-      - name: Set up Python 3.10 on ubuntu-latest
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
-          cache: "poetry"
+          cache: 'poetry'
           cache-dependency-path: poetry.lock
 
-      - name: Install project dependencies
-        run: poetry install --with dev
+      - name: Check pyproject.toml
+        id: check_pyproject
+        run: |
+          poetry check --lock --strict
+
+      - name: Install dependencies
+        id: install_deps
+        run: |
+          poetry sync --with dev
 
       - name: Ruff check
         run: poetry run python -m ruff check aiogram_bot_template --config pyproject.toml --output-format=github
+
       - name: Mypy check
         run: poetry run python -m mypy aiogram_bot_template --config-file pyproject.toml
+
       - name: Black check
         run: poetry run python -m black --check --diff aiogram_bot_template --config pyproject.toml
+
       - name: Isort check
         run: poetry run python -m isort --check aiogram_bot_template
+
+      - name: Audit dependencies PyPI
+        id: audit_deps_pypi
+        run: poetry run pip-audit -r <(poetry export -f requirements.txt --with dev --without-hashes) --vulnerability-service pypi --progress-spinner on
+
+      - name: Audit dependencies OSV
+        id: audit_deps_osv
+        run: poetry run pip-audit -r <(poetry export -f requirements.txt --with dev --without-hashes) --vulnerability-service osv --progress-spinner on
