.github/workflows/audit.yaml

name: Audit

on:
  push:
    branches:
      - fix-audit
  schedule:
    - cron: '30 2 * * *'

jobs:
  audit:
    name: Audit
    runs-on: ${{ matrix.os }}
    timeout-minutes: 20

    strategy:
      fail-fast: false
      matrix:
        include:
          - branch: '2.6'
            os: ubuntu-20.04
          - branch: '2.7'
            os: ubuntu-22.04
          - branch: '2.8'
            os: ubuntu-22.04

    steps:
      # For version below 2.7 (included)
      - run: |
          sudo apt-get update || true
          sudo apt-get install --yes libgdal-dev libgraphviz-dev

      # Have an httplib2 version without any security issues
      - run: sudo python3 -m pip install --upgrade httplib2 numpy

      - uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branch }}
          token: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}

      - uses: camptocamp/initialise-gopass-summon-action@v2
        with:
          ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}}
          github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}}

      - run: if [ -e requirements.txt ] ; then pip install --requirement=requirements.txt; fi

      - run: python3 -m venv ~/.venv
      - run: ~/.venv/bin/pip install --upgrade --pre c2cciutils[audit]
      - run: python3 -m pip install --upgrade --pre c2cciutils[audit]

      - name: Check .tool-versions file existence
        id: tool-versions
        uses: andstor/file-existence-action@v3
        with:
          files: .tool-versions
      - uses: asdf-vm/actions/install@v3
        if: steps.tool-versions.outputs.files_exists == 'true'
      - run: cat /tmp/python-build.*.log
        if: failure()
      - run: python --version

      - name: Snyk audit
        run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }}
        env:
          GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
      - name: Check ci/dpkg-versions.yaml file existence
        id: dpkg-versions
        uses: andstor/file-existence-action@v3
        with:
          files: ci/dpkg-versions.yaml
      - name: Update dpkg packages versions
        run: ~/.venv/bin/c2cciutils-docker-versions-update --branch=${{ matrix.branch }}
        env:
          GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
        if: steps.dpkg-versions.outputs.files_exists == 'true'