name: Dependency Audit on: pull_request: push: branches: - main schedule: - cron: "23 3 * * 1" jobs: dependency-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.12" - uses: actions/setup-node@v4 with: node-version: "22" - name: Configure SSH for release dependencies env: GOVOPLAN_RELEASE_SSH_KEY: ${{ secrets.GOVOPLAN_RELEASE_SSH_KEY }} run: | mkdir -p ~/.ssh chmod 700 ~/.ssh if [ -z "${GOVOPLAN_RELEASE_SSH_KEY:-}" ]; then echo "GOVOPLAN_RELEASE_SSH_KEY secret is required for git+ssh release dependencies." exit 1 fi printf '%s\n' "$GOVOPLAN_RELEASE_SSH_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 if ! command -v ssh-keyscan >/dev/null 2>&1; then apt-get update apt-get install -y openssh-client fi ssh-keyscan -4 -H git.add-ideas.de >> ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts - name: Install backend dev audit dependencies run: | python -m venv .venv .venv/bin/python -m pip install --upgrade pip .venv/bin/python -m pip install -r requirements-release.txt .venv/bin/python -m pip install 'pip-audit>=2.9,<3' - name: Install WebUI release dependencies working-directory: webui run: | node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync('package.json')); const rel=JSON.parse(fs.readFileSync('package.release.json')); pkg.dependencies=rel.dependencies; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');" npm install - name: Run dependency audits run: bash scripts/check-dependency-audits.sh