ci: add ORT (OSS Review Toolkit) workflow suite#21
Conversation
Co-authored-by: habanwer <168052213+habanwer@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds an ORT (OSS Review Toolkit) GitHub Actions workflow to analyze Python dependencies, query OSV advisories, and generate SBOM artifacts for supply-chain visibility.
Changes:
- Introduces a scheduled + PR/push-triggered ORT pipeline (analyzer/advisor/reporter) using
oss-review-toolkit/ort-ci-github-action. - Generates SBOM outputs (CycloneDX, SPDX, WebApp) and uploads ORT results as workflow artifacts.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | ||
| with: | ||
| name: ort-results | ||
| path: ~/.ort/ort-results/ |
There was a problem hiding this comment.
actions/upload-artifact does not reliably expand ~ (tilde) in path, so this may end up looking for a literal ~/.ort/ort-results/ directory and upload nothing (only warning due to if-no-files-found: warn). Prefer copying the ORT results into the workspace and uploading a relative path, or use a GitHub expression that resolves to an absolute path (not shell expansion).
| path: ~/.ort/ort-results/ | |
| path: ${{ env.HOME }}/.ort/ort-results/ |
Codacy's Analysis Summary0 new issue (≤ 0 issue)
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
The ORT workflow is correctly implemented and follows security best practices like SHA pinning and job-level permission resets. The tool configuration is appropriately set to informational for its initial rollout. The only recommendation is to refine the workflow permissions to remove an unused grant.
Test suggestions
- Verify that the workflow generates valid CycloneDX and SPDX SBOM artifacts within the
ort-resultsartifact after a successful run - Verify that the Advisor identifies vulnerabilities by temporarily adding a known-vulnerable package (e.g.,
requests==2.6.0) torequirements.txtand checking the ORT results
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that the workflow generates valid CycloneDX and SPDX SBOM artifacts within the `ort-results` artifact after a successful run
2. Verify that the Advisor identifies vulnerabilities by temporarily adding a known-vulnerable package (e.g., `requests==2.6.0`) to `requirements.txt` and checking the ORT results
🗒️ Improve review quality by adding custom instructions
| permissions: | ||
| contents: read | ||
| security-events: write |
There was a problem hiding this comment.
⚪ LOW RISK
The security-events: write permission is currently unused as the workflow is not configured to generate or upload SARIF reports. To maintain a least-privilege baseline, this permission should be removed.
This might be a simple fix:
| permissions: | |
| contents: read | |
| security-events: write | |
| permissions: | |
| contents: read |
No ORT integration existed; the repo had no SBOM generation, license compliance checks, or OSV-backed dependency advisory beyond
pip-audit.Changes
.github/workflows/ort.yml— new workflow running the full ORT pipeline:requirements.txt(pip/PyPI)Key decisions
allow-dynamic-versionstruerequirements.txtuses unpinned specifiersfail-on''evaluator62e59b4bFollows existing workflow conventions: pinned SHAs,
permissions: {}reset with least-privilege grants, Sunday 01:00 UTC schedule (no overlap with existing Saturday scans).✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.