chore: Consolidate config files and template #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Fetch all history for all branches and tags | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: 'pip' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install uv | |
| # Install project and dependencies with uv | |
| uv sync --all-extras | |
| # Install security tools separately (not part of project deps) | |
| pip install bandit safety | |
| - name: Check for security vulnerabilities with Bandit | |
| run: | | |
| # First run with test files ignored (using our config) | |
| echo "::group::Bandit Security Scan (Non-test files)" | |
| bandit -r apps/ settings/ -c .bandit -f txt || true | |
| echo "::endgroup::" | |
| # Then run a full report but don't fail | |
| echo "::group::Bandit Full Security Report" | |
| bandit -r apps/ settings/ -f txt -o bandit_report.txt || true | |
| cat bandit_report.txt | |
| echo "::endgroup::" | |
| echo "Security issues found, but continuing. See report for details." | |
| # Summarize main issues for the workflow summary | |
| echo "# Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "## Main Issues Found:" >> $GITHUB_STEP_SUMMARY | |
| echo "1. Use of assert in test files - Low severity" >> $GITHUB_STEP_SUMMARY | |
| echo "2. Hardcoded test passwords - Low severity" >> $GITHUB_STEP_SUMMARY | |
| echo "3. Development key in settings - Low severity" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "These issues are expected in test files and development settings." >> $GITHUB_STEP_SUMMARY | |
| - name: Check dependencies for known vulnerabilities | |
| run: | | |
| # Run safety check but don't fail the build | |
| # Export current dependencies and check them | |
| uv pip freeze > requirements.txt | |
| safety check -r requirements.txt --output text || true |