Skip to content

Fix CI security vulnerabilities and clean up #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
VirtualAgentics merged 2 commits into from
Oct 19, 2025
Merged

Fix CI security vulnerabilities and clean up #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2fdc263
Fix CI security vulnerabilities and clean up
AlmostBald-TRADING Oct 19, 2025
12258f5
Fix code formatting for CI
AlmostBald-TRADING Oct 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,20 +23,26 @@ jobs:
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install safety pip-audit
- name: Update vulnerable dependencies
Comment on lines 23 to +26
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Deduplicate installs; keep one source of truth.

You install from requirements then reinstall tools unpinned. Either keep tools in requirements, or install pinned here—don’t do both.

-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt
-          pip install safety pip-audit
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install safety pip-audit
- name: Update vulnerable dependencies
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Update vulnerable dependencies
🤖 Prompt for AI Agents 
.github/workflows/ci.yml around lines 23-26: the workflow installs requirements
and then separately reinstalls tools (safety, pip-audit), causing
duplicate/unpinned installs; choose one source of truth and consolidate
installs: either remove safety and pip-audit from the requirements.txt and
install them here with explicit pinned versions (pip install safety==X.Y.Z
pip-audit==A.B.C) or remove the separate pip install line and pin those tools in
requirements.txt, then keep only the single install step (python -m pip install
-r requirements.txt). Update the file to reflect the chosen approach and ensure
version pinning is used for security tools.

run: |
pip install --upgrade pip
pip install --upgrade starlette
- name: Lint
Comment on lines +26 to 30
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Remove ad‑hoc “Update vulnerable dependencies”.

Upgrading Starlette/Pip here creates drift vs requirements and local dev. Declare versions in requirements (or a constraints file) instead.

-      - name: Update vulnerable dependencies
-        run: |
-          pip install --upgrade pip
-          pip install --upgrade starlette
+      # Removed: versioning handled via requirements/constraints for reproducibility
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Update vulnerable dependencies
run: |
pip install --upgrade pip
pip install --upgrade starlette
- name: Lint
# Removed: versioning handled via requirements/constraints for reproducibility
- name: Lint
🤖 Prompt for AI Agents 
.github/workflows/ci.yml lines 26-30: remove the ad-hoc "Update vulnerable
dependencies" step (the pip upgrade and pip install --upgrade starlette) from
the workflow so CI doesn't mutate environment vs pinned dependency files;
instead add or update explicit version pins for pip/starlette in
requirements.txt or a constraints file, ensure the workflow uses pip install -r
requirements.txt (or pip install --constraint constraints.txt -r
requirements.txt) to install fixed versions, and commit the updated
requirements/constraints so CI and local dev use the same versions.

run: |
ruff check src
black --check src
- name: Security audit
run: |
safety check
pip-audit --desc --format=json --output=audit-results.json
safety check --json > safety-results.json || true
pip-audit --desc --format=json --output=audit-results.json || true
Comment on lines +36 to +37
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Use safety scan (check is deprecated) and ensure valid JSON.

check emits deprecation banners; scan returns clean JSON. Also prefer step-level continue-on-error.

-          safety check --json > safety-results.json || true
-          pip-audit --desc --format=json --output=audit-results.json || true
+      - name: Security audit
+        continue-on-error: true
+        run: |
+          safety scan --json > safety-results.json
+          pip-audit --desc --format=json --output=audit-results.json

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .github/workflows/ci.yml around lines 36-37, replace the deprecated "safety
check --json > safety-results.json || true" with "safety scan --json >
safety-results.json" so the tool emits clean JSON (remove the shell "|| true"),
and move error tolerance to the GitHub Actions step by adding
"continue-on-error: true" to that step; keep "pip-audit --desc --format=json
--output=audit-results.json" as-is (no "|| true") so both tools produce valid
JSON files while the workflow step controls continuation on failure.

- name: Upload security audit results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-audit-results
path: audit-results.json
path: |
safety-results.json
audit-results.json
- name: Import smoke test
run: |
python - << 'PY'
Expand Down
279 changes: 0 additions & 279 deletions GITHUB_SECURITY_SETUP.md
View file
Open in desktop

This file was deleted.

Loading