feat: enable the safety pipeline

.github/workflows/safety.yaml

@@ -0,0 +1,49 @@
+name: Safety Checks
+
+on:
+  # trigger this workflow manually
+  workflow_dispatch:
+
+  # or on a schedule
+  # runs in utc at 2:30am on Mondays
+  # this is 7:30pm on Sundays in Seattle
+  schedule:
+    - cron: "15 2 * * 1"
+
+  # also run on pull requests
+  # probably best to make this a required check on pull requests
+  pull_request:
+
+jobs:
+  safety:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12.x"
+          cache: "pip"
+
+      - name: Cache safety database
+        uses: actions/cache@v4
+        with:
+          path: ~/.safety
+          key: safety
+
+      - name: Install safety
+        run: |
+          pip install safety
+
+      - name: Run safety checks
+        run: |
+          safety --disable-optional-telemetry check --output=screen --file=poetry.lock --cache
+        env:
+          COLUMNS: 120
+          FORCE_COLOR: 1
+          NON_INTERACTIVE: 1

.safety-policy.yml

@@ -0,0 +1,8 @@
+security:
+  continue-on-vulnerability-error: False
+  ignore-cvss-severity-below: 0
+  ignore-cvss-unknown-severity: False
+  ignore-vulnerabilities:
+    70612:
+      reason: "No new release has been made and the vulnerability is kind of bogus."
+      expires: "2024-10-01"