Skip to content

pip-audit brew packages #1719

pip-audit brew packages

pip-audit brew packages #1719

Workflow file for this run

name: pip-audit brew packages
on:
workflow_dispatch:
schedule:
- cron: "0 8 * * *"
pull_request:
permissions: {}
jobs:
audit:
runs-on: macos-latest
permissions:
contents: read # reading repo contents
steps:
- name: Check out this repo
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.x"
- name: Set up Homebrew
id: set-up-homebrew
uses: Homebrew/actions/setup-homebrew@1f8e202ffddf94def7f42f6fa3a482e821489f9c # 2026.07.10.1
with:
core: true
cask: false
- name: Configure Homebrew, install dependencies
run: |
brew developer on
brew install osv-scanner
brew untap --force hashicorp/tap || true
- run: brew ruby formula2requirements.rb
env:
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_INSTALL_FROM_API: 1
HOMEBREW_EVAL_ALL: 1
HOMEBREW_REQUIRE_TAP_TRUST: 1
- run: python3 pip-audit-bulk
env:
QUICK_RUN: ${{ github.event_name == 'pull_request' }}
- name: Upload artifact
uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
with:
path: site
deploy:
if: github.repository_owner == 'Homebrew' && github.event_name != 'pull_request'
needs: [audit]
runs-on: ubuntu-latest
permissions:
pages: write # writing to GitHub Pages
id-token: write # authentication for GitHub Pages
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
auto-pr:
if: always() && needs.audit.result == 'success' && (needs.deploy.result == 'success' || needs.deploy.result == 'skipped')
needs: [audit, deploy]
uses: ./.github/workflows/auto-pr.yml
permissions: {}
with:
dry-run: ${{ github.event_name == 'pull_request' }}
secrets:
BREWTESTBOT_SSH_SIGNING_KEY: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}
BREW_PIP_AUDIT_GH_TOKEN: ${{ github.event_name == 'pull_request' && secrets.GITHUB_TOKEN || secrets.BREW_PIP_AUDIT_GH_TOKEN }}