diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b19bcc8..5051819 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,4 +1,5 @@ name: Lint Check + on: workflow_call: diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index cdb067c..f60854b 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -1,4 +1,5 @@ name: Main + on: pull_request: push: @@ -24,3 +25,9 @@ jobs: name: Tests needs: [lint, typecheck] uses: ./.github/workflows/tests.yaml + + snyk: + name: Snyk + needs: [lint, typecheck, tests] + uses: ./.github/workflows/snyk.yaml + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml new file mode 100644 index 0000000..8594a3e --- /dev/null +++ b/.github/workflows/snyk.yaml @@ -0,0 +1,19 @@ +name: Snyk Security Scan + +on: + workflow_call: + secrets: + SNYK_TOKEN: + required: true + +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high \ No newline at end of file diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 4e58210..dc10bcf 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,4 +1,5 @@ name: Tests + on: workflow_call: diff --git a/.github/workflows/typecheck.yaml b/.github/workflows/typecheck.yaml index 57aa6bc..abe29f9 100644 --- a/.github/workflows/typecheck.yaml +++ b/.github/workflows/typecheck.yaml @@ -1,4 +1,5 @@ name: Type Check + on: workflow_call: diff --git a/.gitignore b/.gitignore index ed55818..4a08c01 100644 --- a/.gitignore +++ b/.gitignore @@ -143,3 +143,6 @@ cython_debug/ # uv .uv/ + +# Snyk Security Extension - AI Rules (auto-generated) +.cursor/rules/snyk_rules.mdc