Skip to content

Improve Python action with pyproject dependency and configuration man… #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mo-DBT merged 2 commits into from
Dec 19, 2025
Merged

Improve Python action with pyproject dependency and configuration man… #117

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6adcefb
Improve Python action with pyproject dependency and configuration man…
Mo-DBT Dec 15, 2025
1668dab
Add DBT internal pip-audit scan to python script
Mo-DBT Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 31 additions & 30 deletions .github/actions/vulnerability-scan/python/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: Python Audit
description: Runs pip-audit on requirements.txt and poetry projects
description: Runs dbt-pip-audit on requirements.txt and poetry projects

inputs:
audit-dir:
Expand All @@ -21,7 +21,7 @@ runs:
shell: bash
env:
AUDIT_DIR: ${{ inputs.audit-dir }}
PIP_AUDIT_VERSION: "2.10.0"
PIP_AUDIT_VERSION: "1.0.2"
Comment thread
Mo-DBT marked this conversation as resolved.
run: |
set -e
REPO_NAME="$(basename "$(realpath .)")"
Expand Down Expand Up @@ -56,9 +56,9 @@ runs:
pip install -r "$req" --quiet --no-cache-dir
fi

# Install and run pip-audit pinned to env variable version
pip install "pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install pip-audit"; deactivate; rm -rf "$envdir/.venv"; continue; }
pip-audit -o "$out" -f json || true
# Install and run dbt-pip-audit pinned to env variable version
pip install "dbt-pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install dbt-pip-audit"; deactivate; rm -rf "$envdir/.venv"; continue; }
dbt-pip-audit -o "$out" -f json || true

# Cleanup
deactivate
Expand All @@ -74,6 +74,12 @@ runs:
out="$AUDIT_DIR/pyproject_${cleanenv//\//_}_${REPO_NAME}.json"
absolute_out="$(realpath "$PWD")/$out"

# Skip if requirements*.txt exists in same directory
if ls "$envdir"/requirements*.txt >/dev/null 2>&1; then
echo "Skipping $envdir because requirements.txt already covered"
continue
fi

echo "Found Python environment:"
echo " - Directory: $envdir"
echo " - Requirements file: $pyproj"
Expand All @@ -86,34 +92,29 @@ runs:
echo "uv.lock found — installing with uv"
pip install uv
uv sync
uv pip install "dbt-pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install dbt-pip-audit"; exit 1; }
uv run dbt-pip-audit -o "$absolute_out" -f json || true

echo "Installing pip-audit into uv environment"
uv pip install "pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install pip-audit"; exit 1; }

echo "Running pip-audit via uv"
uv run pip-audit -o "$absolute_out" -f json || true
else
echo "Installing Poetry in $envdir"
elif [ -f "poetry.lock" ]; then
echo "poetry.lock found — installing with Poetry"
pip install poetry
poetry install --no-root --sync
poetry run pip install "dbt-pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install dbt-pip-audit"; exit 1; }
poetry run dbt-pip-audit -o "$absolute_out" -f json || true

if [ -f "poetry.lock" ]; then
echo "poetry.lock found — installing locked deps"
poetry install --no-root --sync
else
# ToDo: Consider using `poetry lock` to generate a lock file before install
echo "No poetry.lock — installing from pyproject.toml"
if ! poetry install --no-root; then
echo "Poetry install failed in $envdir — skipping this environment"
continue
fi
fi

echo "Installing pip-audit in Poetry environment"
poetry run pip install --upgrade pip
poetry run pip install "pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install pip-audit"; exit 1; }

echo "Running pip-audit inside Poetry environment"
poetry run pip-audit -o "$absolute_out" -f json || true
else
echo "No lock file found — using virtualenv + pip"
python -m venv .venv
source .venv/bin/activate
pip install .
pip install "dbt-pip-audit==${PIP_AUDIT_VERSION}" || { echo "❌ Failed to install dbt-pip-audit"; exit 1; }
dbt-pip-audit -o "$absolute_out" -f json || true

# Cleanup
deactivate
rm -rf ".venv"
echo " - venv directory cleaned up."
echo ""
fi
)
done
Loading