ci: adopt conda-actions v2.0 (grype scan + drop anaconda-client)#171
Merged
Conversation
Bump the four neutrons/conda-actions refs to the @v2 moving tag: - pkg-install / pkg-verify: were pinned to a v1-era SHA - publish: was @main (now uploads via `pixi upload anaconda`) - pkg-remove: was @v1 (now self-installs anaconda-client) All four are input-compatible at v2.0 (verified against the upstream action.yml definitions). Add a dependency-scan job using the new conda-actions/grype action to scan the installed package environment and upload SARIF to code scanning. Test run for the conda-actions v2.0 upgrade before propagating. Assisted-With: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
conda-actions v2.0 no longer needs anaconda-client in the project env: publish uses `pixi upload`, and pkg-remove self-installs anaconda-client. Remove it from the package feature and switch the local conda-publish task to `pixi upload anaconda --owner neutrons`. Regenerate pixi.lock (drops anaconda-client + its orphaned transitive deps). Assisted-With: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
KedoKudo
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s packaging/deployment pipeline to use neutrons/conda-actions@v2, adds a Grype-based dependency scanning job that uploads SARIF to GitHub code scanning, and removes anaconda-client from the Pixi package feature now that publishing/removal are handled without it.
Changes:
- Switch
pkg-install,pkg-verify,publish, andpkg-removeworkflow steps toneutrons/conda-actions@v2. - Add a new
dependency-scanjob that installs the built.condaartifact and scans the resulting environment usingneutrons/conda-actions/grype@v2. - Remove
anaconda-clientfrompyproject.tomland update the localconda-publishPixi task to usepixi upload anaconda.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
pyproject.toml |
Drops anaconda-client from the package feature and updates the local conda publish task to use Pixi’s upload command. |
pixi.lock |
Regenerates the lockfile to reflect removal of anaconda-client and resulting dependency graph changes. |
.github/workflows/test_and_deploy.yaml |
Moves conda workflow steps to conda-actions@v2 and adds a Grype dependency-scan job that uploads SARIF results. |
Comments suppressed due to low confidence (1)
.github/workflows/test_and_deploy.yaml:185
${{ env.CONDA_LABEL }}is not defined anywhere in this workflow, so thelabelinput will resolve to an empty string. Because this overrides the action default (dev),pkg-removewill likely not match any labeled files and won't remove old packages as intended.
anaconda_token: ${{ secrets.ANACONDA_TOKEN }}
organization: neutrons
package_name: ${{ env.PKG_NAME }}
label: ${{ env.CONDA_LABEL }}
keep: 5
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jmborr
reviewed
Jun 5, 2026
jmborr
requested changes
Jun 5, 2026
Move the "Scan installed environment with Grype" step into the conda-build job, right after "Verify conda package", and drop the standalone dependency-scan job. The conda package is already installed in conda-build, so the step reuses steps.install.outputs.conda_install_dir instead of re-checking-out, re-downloading the artifact, and re-installing it. The SARIF-upload permissions (security-events: write, actions: read) move onto conda-build accordingly. Addresses review feedback on PR #171. Assisted-With: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adopt neutrons/conda-actions v2.0. Validated on CI (see checks).
Changes
neutrons/conda-actionsrefs to@v2:pkg-install,pkg-verify: were pinned to a v1-era SHApublish: was@main— v2.0 uploads viapixi upload anaconda(no anaconda install)pkg-remove: was@v1— v2.0 self-installsanaconda-clientdependency-scanjob using the newconda-actions/grypeaction: installs the built.condaand scans the resulting env, uploading SARIF to code scanning (non-blocking —fail-build: false).anaconda-clientdependency from thepackagefeature, now that publish/pkg-remove no longer need it in-project. The localconda-publishtask switches topixi upload anaconda --owner neutrons.pixi.lockregenerated (removes anaconda-client + orphaned transitive deps;typernow sourced from PyPI viatoml-cli).All four actions are input-compatible at v2.0 (verified against the upstream
action.ymldefinitions — no input renames).Validated by CI
pkg-install@v2+pkg-verify@v2(conda-build) — real version-match check passedgrype@v2(dependency-scan) — scanned the installed env, uploaded SARIFpublish@v2/pkg-remove@v2are gated tonext/tags, so they don't run on a PR. Verified by reading the v2.0 source + the upstream dry-run test workflows.Heads-up
grype reports findings (medium+ with fixes available) to the Security tab as non-blocking alerts.
Scope
python_project_templateis the only repo in the group consumingneutrons/conda-actions; others useneutrons/conda-verify(separate repo, unaffected) or callanaconda uploaddirectly.Assisted-With: Claude Opus 4.8 (1M context)