feat(workflows): add reusable python-audit workflow#19
Merged
Conversation
Three-job reusable workflow for Python repos, modelled after
node-audit.yml:
- pip-audit: resolves pinned requirements (uv export / poetry export
/ pip freeze) and runs pip-audit against them.
- bandit: runs bandit over the package, with configurable severity
(-ll default, -lll strict). Honours [tool.bandit] in pyproject.toml.
- sbom: syncs the project so cyclonedx-py sees real dependencies,
generates a CycloneDX JSON SBOM, uploads as artifact (90-day
retention by default).
Supports uv (default), poetry, and pip. All steps SHA-pinned and
hardened with step-security/harden-runner.
Caller example:
jobs:
security:
uses: netresearch/.github/.github/workflows/python-audit.yml@main
permissions:
contents: read
with:
python-version-file: 'pyproject.toml'
package-manager: 'uv'
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
Pull request overview
Adds a new reusable GitHub Actions workflow to run common Python security checks (dependency vulnerability audit, Bandit static analysis, and CycloneDX SBOM generation) for repositories that call it via workflow_call.
Changes:
- Introduces
.github/workflows/python-audit.ymlwith three opt-in/opt-out jobs:pip-audit,bandit, andsbom. - Supports multiple Python package managers (
uv,pip,poetry) and optional Python version selection via an explicit version or version file. - Uploads a generated CycloneDX SBOM as a workflow artifact.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CybotTM
added a commit
to netresearch/coding_agent_cli_toolset
that referenced
this pull request
Apr 17, 2026
…sables Review feedback: use reusable workflows from netresearch/.github instead of direct action calls (matching the node / Go projects). - security.yml → calls the new python-audit.yml (netresearch/.github#19, pinned to @feat/python-audit-workflow until that PR merges). Same three jobs (pip-audit, bandit, sbom) but centrally maintained. - dependency-review.yml → calls netresearch/.github's reusable dependency-review.yml, with fail-on-severity: moderate. - auto-merge-deps.yml → calls netresearch/.github's reusable auto-merge-deps.yml. The org version is identical to what we had locally; deduplicated. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
- Removed misleading `audit-level` input: pip-audit has no native severity floor, so the input was validated but never applied. Behaviour is now fail-on-any-vulnerability, documented in the step body. - Added up-front package-manager validation on both pip-audit and SBOM jobs — unknown values now fail fast with a clear annotation instead of silently falling through. - Fixed bandit `*)` fallback: unexpected `bandit-severity` values now fail with an annotation (previously silently treated as `medium`). - Fixed Poetry SBOM environment mismatch: `poetry install` populates Poetry's venv, but cyclonedx-py was being invoked against the system interpreter, missing every dependency. Now installs cyclonedx-bom + runs cyclonedx-py via `poetry run` so both live in the same venv. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
added a commit
to netresearch/coding_agent_cli_toolset
that referenced
this pull request
Apr 17, 2026
Follow-up to #75 — the reusable workflow [netresearch/.github#19][org-pr] has merged to main, so drop the temporary @feat/python-audit-workflow pin. [org-pr]: netresearch/.github#19 Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
2 tasks
CybotTM
added a commit
to netresearch/coding_agent_cli_toolset
that referenced
this pull request
Apr 17, 2026
Follow-up to #75. The reusable `python-audit.yml` workflow [merged into netresearch/.github main](netresearch/.github#19), so drop the temporary `@feat/python-audit-workflow` pin. ## Test plan - [x] YAML valid (`python3 -c "import yaml; yaml.safe_load(...)"`) - [ ] On-push CI: `audit / pip-audit`, `audit / bandit`, `audit / CycloneDX SBOM` all resolve `python-audit.yml@main` at the merge commit and pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New reusable workflow
python-audit.ymlfor Python projects, modelled afternode-audit.yml. Provides three independent jobs, each opt-outable:requirements.txtfromuv/poetry/pip, runspip-auditagainst it.all,medium,high); honours[tool.bandit]inpyproject.toml.cyclonedx-py environmentsees real deps, generates CycloneDX JSON, uploads as artifact.All steps SHA-pinned and hardened with
step-security/harden-runner.Inputs
python-version3.14python-version-fileis emptypython-version-file''pyproject.toml,.python-versionpackage-manageruvuv/poetry/pipaudit-levelhighrun-bandittruebandit-severitymediumall/medium/highbandit-targetsrc/if present, else.generate-sbomtruesbom-retention-days90Caller example
Test plan
python3 -c "import yaml; yaml.safe_load(...)")netresearch/coding_agent_cli_toolset(PR #75 on that repo) to call@feat/python-audit-workflowfirst, then switch to@mainonce this merges.