ci: periodically scan for vulnerabilities (#132)

sdn4z · web-flow · commit c3c5e48c7dee · 2025-09-16T15:21:05.000+02:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,41 +1,43 @@
-# This workflow will run security checks against our project
-
 name: Security
 
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["main"]
+  schedule:
+    - cron: "0 0 * * 1" # every Monday at 00:00 UTC
 
 jobs:
   osv-scanner:
-    runs-on: ubuntu-latest
     if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/google/osv-scanner:v2.1.0@sha256:9a1ba57d2a1506c9e9d0dfbeaf46346507e829745b70d47d77e12c38e66de8d7
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run OSV Scanner
         run: |
           /osv-scanner --format table -r .
+
   semgrep:
+    if: github.event_name != 'schedule' && !startsWith(github.event.head_commit.message, 'bump:')
     runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
     container:
       image: returntocorp/semgrep:1.128.1@sha256:144d315f7354c2b2c53021a76165a500f67252c47464be75e951b67050f54a9e
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run Semgrep
         run: |
           semgrep scan --config auto
+
   twyn:
+    if: github.event_name != 'schedule' && !startsWith(github.event.head_commit.message, 'bump:')
     runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
     container:
       image: elementsinteractive/twyn:2.9.0@sha256:71dc5d45bc42756282dc7adf511e6c015c05b69ef28e2b5556cd155650c3519a
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run twyn
         run: |
-          twyn run -vv
+          twyn run -vv
diff --git a/src/lightman_ai/core/sentry.py b/src/lightman_ai/core/sentry.py
@@ -8,8 +8,8 @@
 def configure_sentry() -> None:
     """Configure Sentry for error tracking."""
     try:
-        import sentry_sdk
-        from sentry_sdk.integrations.logging import LoggingIntegration
+        import sentry_sdk  # noqa: PLC0415
+        from sentry_sdk.integrations.logging import LoggingIntegration  # noqa: PLC0415
     except ImportError:
         logger.warning(
             "Could not initialize sentry, it is not installed! Add it by installing the project with `lightman-ai[sentry]`."
diff --git a/tests/eval/test_classifier.py b/tests/eval/test_classifier.py
@@ -1,10 +1,9 @@
 from datetime import UTC, datetime
 from unittest.mock import Mock, patch
 
-from lightman_ai.article.models import Article, SelectedArticle, SelectedArticlesList
-
 from eval.classifier import Classifier
 from eval.constants import MISSED_ARTICLE_REASON, MISSED_ARTICLE_RELEVANCE_SCORE
+from lightman_ai.article.models import Article, SelectedArticle, SelectedArticlesList
 
 
 class TestClassifier:
diff --git a/uv.lock b/uv.lock
