Chore: Update test/audit actions (#808)

ModeSevenIndustrialSolutions · web-flow · commit dd4e9fe0adac · 2025-03-31T13:10:06.000+01:00
Signed-off-by: Matthew Watkins &lt;mwatkins@linuxfoundation.org&gt;
diff --git a/.github/actions/python-audit-action/README.md b/.github/actions/python-audit-action/README.md
@@ -0,0 +1,61 @@
+<!--
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+-->
+
+# 🐍 Python Dependency Audit
+
+Check a Python project's dependencies for known security vulnerabilities.
+
+## python-audit-action
+
+## Usage Example
+
+<!-- markdownlint-disable MD046 -->
+
+Below is a sample matrix job configuration for this action:
+
+```yaml
+  python-audit:
+    name: "Python Audit"
+    runs-on: "ubuntu-24.04"
+    needs:
+      - python-build
+    # Matrix job
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.python-build.outputs.matrix_json) }}
+    permissions:
+      contents: read
+    steps:
+      - name: "Audit project dependencies"
+        uses: lfreleng-actions/python-audit-action@main
+        with:
+          python_version: ${{ matrix.python-version }}
+```
+
+In the above example, a prior Python build job has run (not shown).
+
+<!-- markdownlint-enable MD046 -->
+
+## Inputs
+
+<!-- markdownlint-disable MD013 -->
+
+| Variable Name   | Required | Default | Description                                                 |
+| --------------- | -------- | ------- | ----------------------------------------------------------- |
+| PYTHON_VERSION  | True     | N/A     | Matrix job Python version                                   |
+| ARTEFACT_NAME   | False    |         | Build artefacts from previous job(s) have this name/label   |
+| ARTEFACT_PATH   | False    | "dist"  | Build artefacts will download to this folder/directory      |
+| NEVER_FAIL      | False    | False   | Even if a test fails, the workflow will NOT stop on error   |
+| ARTEFACT_PATH   | False    | "dist"  | Stores the test coverage report bundle as an artefact       |
+| SUMMARY         | False    | True    | Whether pypa/gh-action-pip-audit generates summary output   |
+| PATH_PREFIX     | False    | ""      | Path/directory to Python project code                       |
+
+<!-- markdownlint-enable MD013 -->
+
+## Audit Implementation
+
+The audit process uses an external public action:
+
+[https://github.com/pypa/gh-action-pip-audit](https://github.com/pypa/gh-action-pip-audit)
diff --git a/.github/actions/python-audit-action/action.yaml b/.github/actions/python-audit-action/action.yaml
@@ -0,0 +1,89 @@
+---
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+# python-audit-action
+name: "🐍 Python Dependency Audit"
+# yamllint disable-line rule:line-length
+description: "Check a Python project's dependencies for known security vulnerabilities"
+
+inputs:
+  # Mandatory
+  PYTHON_VERSION:
+    description: "Python version used to perform audit"
+    required: true
+  # Optional
+  ARTEFACT_NAME:
+    description: "Build artefacts from previous job(s) have this name/label"
+    required: false
+    type: string
+  ARTEFACT_PATH:
+    description: "Build artefacts will be downloaded to this folder/directory"
+    required: true
+    type: string
+    default: "dist"
+  NEVER_FAIL:
+    description: "Continue even when an audit fails"
+    required: false
+    default: false
+  SUMMARY:
+    description: "Whether to generate summary output"
+    type: boolean
+    required: false
+    default: true
+  PATH_PREFIX:
+    description: "Directory location containing project code"
+    type: string
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Download build artefacts ⬇"
+      # yamllint disable-line rule:line-length
+      uses: actions/download-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: "${{ inputs.artefact_name }}"
+        path: "${{ inputs.artefact_path }}"
+        if-no-files-found: error
+
+    - name: "Setup Python ${{ inputs.python_version }}"
+      # yamllint disable-line rule:line-length
+      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      with:
+        python-version: ${{ inputs.python_version }}
+
+    - name: "Install tooling and build products/dependencies"
+      shell: bash
+      run: |
+        # Install tooling and build products/dependencies
+        echo "Upgrading: pip, pipx, setuptools"
+        python -m pip install -q --upgrade pip pipx setuptools
+        echo "Installing built package(s) and dependencies"
+        for WHEEL in ${{ inputs.artefact_path }}/*.whl; do
+          echo "Installing: $WHEEL"
+          pip install -q "$WHEEL"
+        done
+
+    - name: "Install from Pipfile.lock/requirements.txt"
+      shell: bash
+      run: |
+        # Export/install additional dependencies
+        if [ -f "${{ inputs.path_prefix }}"Pipfile.lock ]; then
+          echo "Exporting dependencies from: Pipfile.lock"
+          pipx run pipfile-requirements ${{ inputs.path_prefix }}Pipfile.lock \
+            > ${{ inputs.path_prefix }}requirements.txt
+        fi
+        if [ -f "${{ inputs.path_prefix }}"requirements.txt ]; then
+          echo "Installing dependencies from: requirements.txt"
+          pip install -q -r requirements.txt
+        fi
+
+    - name: "Auditing with: pypa/gh-action-pip-audit"
+      # yamllint disable-line rule:line-length
+      uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
+      with:
+        inputs: ${{ inputs.path_prefix }}
+        summary: ${{ inputs.summary }}
+        virtual-environment: env/
diff --git a/.github/actions/python-test-action/action.yaml b/.github/actions/python-test-action/action.yaml
@@ -41,7 +41,6 @@ runs:
       shell: bash
       run: |
         # Setup action/environment
-        set -vx
         if [ -z "${{ inputs.python_version }}" ]; then
           echo "Error: Python version was not provided ❌"
           exit 1
@@ -74,10 +73,10 @@ runs:
         echo "Installing project and dependencies"
         # Note: quirks with pip install need careful handling
 
-
-        if [ -f "$path_prefixpyproject.toml" ]; then
+        if [ -f "$path_prefix"pyproject.toml ]; then
           echo "Source: ${path_prefix%/} ⬇️"
-          pip install -q ${path_prefix%/}
+          pip install -q "$path_prefix"
+          # pip install -q ${path_prefix%/}
         elif [ -z "$path_prefix" ] && \
           [ -f pyproject.toml ]; then
             echo "Source: pyproject.toml ⬇️"
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -36,6 +36,7 @@ jobs:
     runs-on: ubuntu-24.04
     outputs:
       matrix_json: ${{ steps.python-build.outputs.matrix_json }}
+      artefact_name: ${{ steps.python-build.outputs.artefact_name }}
       artefact_path: ${{ steps.python-build.outputs.artefact_path }}
     permissions:
       contents: write
@@ -103,9 +104,10 @@ jobs:
 
       - name: "Audit Python project"
         # yamllint disable-line rule:line-length
-        uses: lfreleng-actions/python-audit-action@f6ded736889b9dd75ec36a5aa83ff1efc4a6fbc7 # v0.1.0
+        uses: os-climate/osc-github-devops/.github/actions/python-audit-action@main
         with:
           python_version: ${{ matrix.python-version }}
+          artefact_name: ${{ needs.python-build.outputs.artefact_name }}
           artefact_path: ${{ needs.python-build.outputs.artefact_path }}
 
   notebooks:
