From 78f8949a44545eacf97733438e2a85f113d75ecd Mon Sep 17 00:00:00 2001
From: Paul Lockaby <paul@paullockaby.com>
Date: Mon, 5 Aug 2024 14:58:08 -0700
Subject: [PATCH 1/4] feat: enable the safety pipeline

---
 .github/workflows/safety.yaml | 41 +++++++++++++++++++++++++++++++++++
 .safety-policy.yml            |  8 +++++++
 2 files changed, 49 insertions(+)
 create mode 100644 .github/workflows/safety.yaml
 create mode 100644 .safety-policy.yml

diff --git a/.github/workflows/safety.yaml b/.github/workflows/safety.yaml
new file mode 100644
index 0000000..81ac53c
--- /dev/null
+++ b/.github/workflows/safety.yaml
@@ -0,0 +1,41 @@
+name: Safety Checks
+
+on:
+  # trigger this workflow manually
+  workflow_dispatch:
+
+  # or on a schedule
+  # runs in utc at 2:30am on Mondays
+  # this is 7:30pm on Sundays in Seattle
+  schedule:
+    - cron: "15 2 * * 1"
+
+  # also run on pull requests
+  # probably best to make this a required check on pull requests
+  pull_request:
+
+jobs:
+  safety:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install poetry
+        run: |
+          pipx install poetry
+          pipx inject poetry poetry-plugin-export
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12.x"
+          cache: "pip"
+
+      - name: Run safety checks
+        run: |
+          pip install safety
+          safety --disable-optional-telemetry check --full-report --output=screen --file=poetry.lock
diff --git a/.safety-policy.yml b/.safety-policy.yml
new file mode 100644
index 0000000..507fab8
--- /dev/null
+++ b/.safety-policy.yml
@@ -0,0 +1,8 @@
+security:
+  continue-on-vulnerability-error: False
+  ignore-cvss-severity-below: 0
+  ignore-cvss-unknown-severity: False
+  ignore-vulnerabilities:
+#    70612:
+#      reason: "No new release has been made and the vulnerability is kind of bogus."
+#      expires: "2024-10-01"

From eea83b4c389fd3b98cb8e35a8eaa5158d9e2a6c6 Mon Sep 17 00:00:00 2001
From: Paul Lockaby <paul@paullockaby.com>
Date: Mon, 5 Aug 2024 15:06:21 -0700
Subject: [PATCH 2/4] fix: ignore the jinja vulnerability

---
 .safety-policy.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.safety-policy.yml b/.safety-policy.yml
index 507fab8..9b53dcc 100644
--- a/.safety-policy.yml
+++ b/.safety-policy.yml
@@ -3,6 +3,6 @@ security:
   ignore-cvss-severity-below: 0
   ignore-cvss-unknown-severity: False
   ignore-vulnerabilities:
-#    70612:
-#      reason: "No new release has been made and the vulnerability is kind of bogus."
-#      expires: "2024-10-01"
+    70612:
+      reason: "No new release has been made and the vulnerability is kind of bogus."
+      expires: "2024-10-01"

From f2323ee44e3e539386d6250ba65bd67e29ef5186 Mon Sep 17 00:00:00 2001
From: Paul Lockaby <paul@paullockaby.com>
Date: Mon, 5 Aug 2024 15:22:45 -0700
Subject: [PATCH 3/4] fix: cache safety database

---
 .github/workflows/safety.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/safety.yaml b/.github/workflows/safety.yaml
index 81ac53c..e75241c 100644
--- a/.github/workflows/safety.yaml
+++ b/.github/workflows/safety.yaml
@@ -35,7 +35,16 @@ jobs:
           python-version: "3.12.x"
           cache: "pip"
 
+      - uses: actions/cache@v4
+        with:
+          path: ~/.safety
+          key: safety
+
       - name: Run safety checks
         run: |
           pip install safety
-          safety --disable-optional-telemetry check --full-report --output=screen --file=poetry.lock
+          safety --disable-optional-telemetry check --output=screen --file=poetry.lock
+        env:
+          COLUMNS: 120
+          FORCE_COLOR: 1
+          NON_INTERACTIVE: 1

From ce7dbac5c395eca7692bb1e248ceab630db7bce3 Mon Sep 17 00:00:00 2001
From: Paul Lockaby <paul@paullockaby.com>
Date: Mon, 5 Aug 2024 15:28:57 -0700
Subject: [PATCH 4/4] fix: enable safety database cache

---
 .github/workflows/safety.yaml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/safety.yaml b/.github/workflows/safety.yaml
index e75241c..26a5f47 100644
--- a/.github/workflows/safety.yaml
+++ b/.github/workflows/safety.yaml
@@ -24,26 +24,25 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Install poetry
-        run: |
-          pipx install poetry
-          pipx inject poetry poetry-plugin-export
-
       - name: Setup python
         uses: actions/setup-python@v5
         with:
           python-version: "3.12.x"
           cache: "pip"
 
-      - uses: actions/cache@v4
+      - name: Cache safety database
+        uses: actions/cache@v4
         with:
           path: ~/.safety
           key: safety
 
-      - name: Run safety checks
+      - name: Install safety
         run: |
           pip install safety
-          safety --disable-optional-telemetry check --output=screen --file=poetry.lock
+
+      - name: Run safety checks
+        run: |
+          safety --disable-optional-telemetry check --output=screen --file=poetry.lock --cache
         env:
           COLUMNS: 120
           FORCE_COLOR: 1