diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc66bf4..e2ce094 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,11 +5,16 @@ on: branches: [main] pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: contents: read jobs: pre-commit: + name: Pre-commit runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -23,6 +28,7 @@ jobs: - run: pre-commit run --all-files --show-diff-on-failure --color=always test: + name: Test runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -38,11 +44,12 @@ jobs: run: pytest security: + name: Security audit runs-on: ubuntu-latest permissions: contents: read - pull-requests: write - security-events: write + pull-requests: write # Post or update PR comments with scan results from the composite action + security-events: write # Upload SARIF to GitHub code scanning when the audit publishes security events steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index ad3c5d3..8e5af1b 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -230,9 +230,11 @@ jobs: - name: Record step outcome if: always() + env: + AUDIT_OUTCOME: ${{ steps.audit.outcome }} run: | mkdir -p outcome - echo "${{ steps.audit.outcome }}" > outcome/outcome.txt + echo "$AUDIT_OUTCOME" > outcome/outcome.txt - name: Upload outcome if: always() @@ -248,7 +250,7 @@ jobs: needs: [integration-test] runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # Post or update the integration-test validation report on PRs steps: - name: Checkout action repo @@ -298,6 +300,8 @@ jobs: if: always() && github.event_name == 'pull_request' env: GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} + GITHUB_REPOSITORY: ${{ github.repository }} run: | if [ ! -f validation-report.md ]; then echo "No report generated" >&2 @@ -305,12 +309,11 @@ jobs: fi MARKER="" - PR_NUMBER="${{ github.event.pull_request.number }}" # Find existing comment with our marker COMMENT_ID=$( gh api \ - "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \ + "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ --paginate -q \ ".[] | select(.body | contains(\"${MARKER}\")) | .id" \ | head -n 1 @@ -318,7 +321,7 @@ jobs: if [ -n "$COMMENT_ID" ]; then gh api \ - "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \ + "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}" \ --method PATCH \ -F "body=@validation-report.md" echo "Updated existing comment ${COMMENT_ID}" diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 2f43579..4164007 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -4,15 +4,20 @@ on: push: branches: [main] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + permissions: {} jobs: release-please: + name: Release Please runs-on: ubuntu-latest environment: release permissions: - contents: write - pull-requests: write + contents: write # Create releases, tags, and release branches + pull-requests: write # Open and update pin README pull requests steps: - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 id: release @@ -28,31 +33,36 @@ jobs: if: ${{ steps.release.outputs.release_created }} env: GITHUB_TOKEN: ${{ github.token }} + GITHUB_REPOSITORY: ${{ github.repository }} + RELEASE_MAJOR: ${{ steps.release.outputs.major }} + RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }} run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git" - git tag -fa "v${{ steps.release.outputs.major }}" \ - -m "Release v${{ steps.release.outputs.tag_name }}" - git push origin "v${{ steps.release.outputs.major }}" --force + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" + git tag -fa "v${RELEASE_MAJOR}" \ + -m "Release v${RELEASE_TAG_NAME}" + git push origin "v${RELEASE_MAJOR}" --force - name: Pin README to release SHA if: ${{ steps.release.outputs.release_created }} env: GH_TOKEN: ${{ github.token }} + RELEASE_SHA: ${{ steps.release.outputs.sha }} + RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }} run: | sed -i -E \ - 's|lhoupert/action-python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|lhoupert/action-python-security-auditing@${{ steps.release.outputs.sha }} # ${{ steps.release.outputs.tag_name }}|g' \ + "s|developmentseed/action-python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|developmentseed/action-python-security-auditing@${RELEASE_SHA} # ${RELEASE_TAG_NAME}|g" \ README.md git add README.md git diff --cached --quiet && echo "README unchanged, skipping commit" && exit 0 - BRANCH="chore/pin-readme-${{ steps.release.outputs.tag_name }}" + BRANCH="chore/pin-readme-${RELEASE_TAG_NAME}" git checkout -b "$BRANCH" - git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }}" + git commit -m "chore: pin README to ${RELEASE_TAG_NAME}" git push origin "$BRANCH" gh pr create \ - --title "chore: pin README to ${{ steps.release.outputs.tag_name }}" \ - --body "Automated: pin README SHA references to release ${{ steps.release.outputs.tag_name }}." \ + --title "chore: pin README to ${RELEASE_TAG_NAME}" \ + --body "Automated: pin README SHA references to release ${RELEASE_TAG_NAME}." \ --base main \ --head "$BRANCH" @@ -60,9 +70,11 @@ jobs: if: ${{ steps.release.outputs.release_created }} env: GH_TOKEN: ${{ secrets.TESTS_REPO_DISPATCH_TOKEN }} + RELEASE_SHA: ${{ steps.release.outputs.sha }} + RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }} run: | gh api repos/lhoupert/action-python-security-auditing-tests/dispatches \ --method POST \ -f event_type=action-release \ - -F client_payload[sha]='${{ steps.release.outputs.sha }}' \ - -F client_payload[tag]='${{ steps.release.outputs.tag_name }}' + -F "client_payload[sha]=${RELEASE_SHA}" \ + -F "client_payload[tag]=${RELEASE_TAG_NAME}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c3b7566..20835a3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,17 +7,21 @@ on: # Weekly on Saturdays. - cron: "30 1 * * 6" -permissions: read-all +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + actions: read # Required by Scorecard to evaluate workflow security posture jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed for Code scanning upload - security-events: write - # Needed for GitHub OIDC token if publish_results is true - id-token: write + security-events: write # Upload Scorecard SARIF to the code scanning API + id-token: write # GitHub OIDC token when publish_results is true steps: - name: "Checkout code" diff --git a/CHANGELOG.md b/CHANGELOG.md index f82d846..a4894a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,76 +1,76 @@ # Changelog -## [0.5.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.3...v0.5.0) (2026-03-30) +## [0.5.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.3...v0.5.0) (2026-03-30) ### Features -* add integration tests ([#42](https://github.com/lhoupert/action-python-security-auditing/issues/42)) ([437ac46](https://github.com/lhoupert/action-python-security-auditing/commit/437ac46491009a5784e6defab2a933901fe2dfe0)) +* add integration tests ([#42](https://github.com/developmentseed/action-python-security-auditing/issues/42)) ([437ac46](https://github.com/developmentseed/action-python-security-auditing/commit/437ac46491009a5784e6defab2a933901fe2dfe0)) -## [0.4.3](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.2...v0.4.3) (2026-03-28) +## [0.4.3](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.2...v0.4.3) (2026-03-28) ### Bug Fixes -* add debug logging and fix bandit multi-target separator ([#36](https://github.com/lhoupert/action-python-security-auditing/issues/36)) ([b0d01ab](https://github.com/lhoupert/action-python-security-auditing/commit/b0d01ab5838a99fe9b2a25503dbb3b01e9c6b5b2)) +* add debug logging and fix bandit multi-target separator ([#36](https://github.com/developmentseed/action-python-security-auditing/issues/36)) ([b0d01ab](https://github.com/developmentseed/action-python-security-auditing/commit/b0d01ab5838a99fe9b2a25503dbb3b01e9c6b5b2)) -## [0.4.2](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.1...v0.4.2) (2026-03-28) +## [0.4.2](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.1...v0.4.2) (2026-03-28) ### Bug Fixes -* fix inconsistencies ([#33](https://github.com/lhoupert/action-python-security-auditing/issues/33)) ([3c796ff](https://github.com/lhoupert/action-python-security-auditing/commit/3c796ff9399a22215ac0da94f0dc05d8f92e66a2)) +* fix inconsistencies ([#33](https://github.com/developmentseed/action-python-security-auditing/issues/33)) ([3c796ff](https://github.com/developmentseed/action-python-security-auditing/commit/3c796ff9399a22215ac0da94f0dc05d8f92e66a2)) -## [0.4.1](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.0...v0.4.1) (2026-03-28) +## [0.4.1](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.0...v0.4.1) (2026-03-28) ### Bug Fixes -* add bandit report to artifacts ([#27](https://github.com/lhoupert/action-python-security-auditing/issues/27)) ([8180cd7](https://github.com/lhoupert/action-python-security-auditing/commit/8180cd7e7731f985b1a9c8095b5a38bb867ae915)) +* add bandit report to artifacts ([#27](https://github.com/developmentseed/action-python-security-auditing/issues/27)) ([8180cd7](https://github.com/developmentseed/action-python-security-auditing/commit/8180cd7e7731f985b1a9c8095b5a38bb867ae915)) -## [0.4.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.2...v0.4.0) (2026-03-27) +## [0.4.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.2...v0.4.0) (2026-03-27) ### Features -* notify test repo to update action pin ([#24](https://github.com/lhoupert/action-python-security-auditing/issues/24)) ([0168484](https://github.com/lhoupert/action-python-security-auditing/commit/0168484da35bb129ded7f8184144483930ceedaa)) +* notify test repo to update action pin ([#24](https://github.com/developmentseed/action-python-security-auditing/issues/24)) ([0168484](https://github.com/developmentseed/action-python-security-auditing/commit/0168484da35bb129ded7f8184144483930ceedaa)) -## [0.3.2](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.1...v0.3.2) (2026-03-27) +## [0.3.2](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.1...v0.3.2) (2026-03-27) ### Bug Fixes -* add working directory ([#22](https://github.com/lhoupert/action-python-security-auditing/issues/22)) ([e73b876](https://github.com/lhoupert/action-python-security-auditing/commit/e73b876852e010f5bd4c659c2164d454d0410aff)) -* fix small issues with uv and poetry ([#20](https://github.com/lhoupert/action-python-security-auditing/issues/20)) ([0a4c0e9](https://github.com/lhoupert/action-python-security-auditing/commit/0a4c0e9993d082f1e29ecccb06a4fcdcbec9cbfc)) +* add working directory ([#22](https://github.com/developmentseed/action-python-security-auditing/issues/22)) ([e73b876](https://github.com/developmentseed/action-python-security-auditing/commit/e73b876852e010f5bd4c659c2164d454d0410aff)) +* fix small issues with uv and poetry ([#20](https://github.com/developmentseed/action-python-security-auditing/issues/20)) ([0a4c0e9](https://github.com/developmentseed/action-python-security-auditing/commit/0a4c0e9993d082f1e29ecccb06a4fcdcbec9cbfc)) -## [0.3.1](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.0...v0.3.1) (2026-03-27) +## [0.3.1](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.0...v0.3.1) (2026-03-27) ### Bug Fixes -* fix ci to pin update in readme ([#16](https://github.com/lhoupert/action-python-security-auditing/issues/16)) ([a97a516](https://github.com/lhoupert/action-python-security-auditing/commit/a97a51680c9e269100dc9b18f7d098bac878b4c0)) +* fix ci to pin update in readme ([#16](https://github.com/developmentseed/action-python-security-auditing/issues/16)) ([a97a516](https://github.com/developmentseed/action-python-security-auditing/commit/a97a51680c9e269100dc9b18f7d098bac878b4c0)) -## [0.3.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.2.0...v0.3.0) (2026-03-27) +## [0.3.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.2.0...v0.3.0) (2026-03-27) ### Features -* add ossf scorecard ([#13](https://github.com/lhoupert/action-python-security-auditing/issues/13)) ([b29d0ef](https://github.com/lhoupert/action-python-security-auditing/commit/b29d0ef3d8514d04240a3bce759dd783ffa40001)) +* add ossf scorecard ([#13](https://github.com/developmentseed/action-python-security-auditing/issues/13)) ([b29d0ef](https://github.com/developmentseed/action-python-security-auditing/commit/b29d0ef3d8514d04240a3bce759dd783ffa40001)) ### Bug Fixes -* bug on push events ([31e0fa0](https://github.com/lhoupert/action-python-security-auditing/commit/31e0fa0e20fadd3fc8b89bbb26efc6b5ca3557ef)) -* fix warning ([#15](https://github.com/lhoupert/action-python-security-auditing/issues/15)) ([2d95cbc](https://github.com/lhoupert/action-python-security-auditing/commit/2d95cbc2fed7ee39258437927fb78a89f84e4db2)) +* bug on push events ([31e0fa0](https://github.com/developmentseed/action-python-security-auditing/commit/31e0fa0e20fadd3fc8b89bbb26efc6b5ca3557ef)) +* fix warning ([#15](https://github.com/developmentseed/action-python-security-auditing/issues/15)) ([2d95cbc](https://github.com/developmentseed/action-python-security-auditing/commit/2d95cbc2fed7ee39258437927fb78a89f84e4db2)) -## [0.2.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.1.0...v0.2.0) (2026-03-27) +## [0.2.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.1.0...v0.2.0) (2026-03-27) ### Features -* add bandit action ([#5](https://github.com/lhoupert/action-python-security-auditing/issues/5)) ([bbde8aa](https://github.com/lhoupert/action-python-security-auditing/commit/bbde8aa5584f4aa65a173c526d2d3902ecc3a976)) +* add bandit action ([#5](https://github.com/developmentseed/action-python-security-auditing/issues/5)) ([bbde8aa](https://github.com/developmentseed/action-python-security-auditing/commit/bbde8aa5584f4aa65a173c526d2d3902ecc3a976)) ### Bug Fixes -* formatting table ([#10](https://github.com/lhoupert/action-python-security-auditing/issues/10)) ([191bf3c](https://github.com/lhoupert/action-python-security-auditing/commit/191bf3ca1b8da0fe78c086dc297279f5fe572a4f)) +* formatting table ([#10](https://github.com/developmentseed/action-python-security-auditing/issues/10)) ([191bf3c](https://github.com/developmentseed/action-python-security-auditing/commit/191bf3ca1b8da0fe78c086dc297279f5fe572a4f)) diff --git a/README.md b/README.md index f46bb76..d780154 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # python-security-auditing -[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/lhoupert/action-python-security-auditing/badge)](https://scorecard.dev/viewer/?uri=github.com/lhoupert/action-python-security-auditing) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/developmentseed/action-python-security-auditing/badge)](https://scorecard.dev/viewer/?uri=github.com/developmentseed/action-python-security-auditing) A GitHub Action that runs **[bandit](https://bandit.readthedocs.io/)** (static code analysis) and **[pip-audit](https://pypi.org/project/pip-audit/)** (dependency vulnerability scanning) on a Python repository, then puts the results in one PR comment, the workflow step summary, and a downloadable artifact. @@ -59,7 +59,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 - - uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 + - uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: uv # export handled automatically bandit_scan_dirs: 'src/' @@ -129,7 +129,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 + - uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 ``` This runs both bandit and pip-audit with sensible defaults: blocks the job on HIGH-severity code issues and on dependency vulnerabilities that have a fix available. @@ -155,7 +155,7 @@ Pass `package_manager` to match how your project manages dependencies. The actio **uv:** ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: uv bandit_scan_dirs: 'src/' @@ -163,7 +163,7 @@ Pass `package_manager` to match how your project manages dependencies. The actio **Poetry:** ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: poetry bandit_scan_dirs: 'src/' @@ -171,7 +171,7 @@ Pass `package_manager` to match how your project manages dependencies. The actio **Pipenv:** ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: pipenv bandit_scan_dirs: 'src/' @@ -179,7 +179,7 @@ Pass `package_manager` to match how your project manages dependencies. The actio **Plain requirements file (default):** ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: requirements_file: requirements/prod.txt bandit_scan_dirs: 'src/' @@ -190,7 +190,7 @@ Pass `package_manager` to match how your project manages dependencies. The actio When your source code spans more than one directory, pass a comma-separated list to `bandit_scan_dirs`: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: uv bandit_scan_dirs: 'src/,scripts/' @@ -201,7 +201,7 @@ When your source code spans more than one directory, pass a comma-separated list Set `working_directory` to the project root within the repo. All relative paths (scan dirs, requirements file) are resolved from there: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: working_directory: services/api package_manager: uv @@ -213,7 +213,7 @@ Set `working_directory` to the project root within the repo. All relative paths Useful when you manage dependencies externally or run pip-audit in a separate job: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: tools: bandit bandit_scan_dirs: 'src/' @@ -224,7 +224,7 @@ Useful when you manage dependencies externally or run pip-audit in a separate jo Useful when you already run bandit separately or only care about known CVEs in dependencies: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: tools: pip-audit package_manager: uv @@ -235,7 +235,7 @@ Useful when you already run bandit separately or only care about known CVEs in d Block on any bandit finding at MEDIUM or above, and on all known vulnerabilities regardless of whether a fix exists. Suitable for high-assurance services or regulated environments: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: poetry bandit_severity_threshold: medium @@ -247,7 +247,7 @@ Block on any bandit finding at MEDIUM or above, and on all known vulnerabilities Add the action first as an observer: it posts findings to the PR comment and step summary without ever failing the job. Tighten the thresholds once your team has addressed the backlog: ```yaml -- uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 +- uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: uv bandit_severity_threshold: low # report everything @@ -275,7 +275,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 - - uses: lhoupert/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 + - uses: developmentseed/action-python-security-auditing@12efad3bddc3efd3668cf6ac6799f94837f4fb3d # v0.5.0 with: package_manager: uv post_pr_comment: false # no PR to comment on for scheduled runs diff --git a/SECURITY.md b/SECURITY.md index fff20f0..e03f09e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ If you discover a security vulnerability in this project, please report it respo **Do not open a public GitHub issue for security vulnerabilities.** -Instead, please use [GitHub's private vulnerability reporting](https://github.com/lhoupert/action-python-security-auditing/security/advisories/new) to submit your report. +Instead, please use [GitHub's private vulnerability reporting](https://github.com/developmentseed/action-python-security-auditing/security/advisories/new) to submit your report. ### What to expect diff --git a/action.yml b/action.yml index 6d17b31..5b014db 100644 --- a/action.yml +++ b/action.yml @@ -89,7 +89,7 @@ runs: PR_NUMBER: ${{ github.event.pull_request.number }} INPUT_DEBUG: ${{ inputs.debug }} RUNNER_DEBUG: ${{ runner.debug }} - run: uv run --no-project --with "${{ github.action_path }}" python -m python_security_auditing + run: uv run --no-project --with "$GITHUB_ACTION_PATH" python -m python_security_auditing - name: Upload ${{ inputs.artifact_name }} if: always()