MNT: Use hash for Action workflow versions and update, and add dependabot, if needed #6
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## This runs bandit checks on all PRs and upload artifact | |
| ## Currently set only for high severity and high criticality | |
| name: BanditEverything | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| workflow_call: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| bandit-scan: | |
| runs-on: ubuntu-latest | |
| env: | |
| ARTIFACT_ROOT: bandit-results | |
| PR_NUMBER: ${{ github.event.number }} | |
| permissions: | |
| # only required for workflows in private repositories, remaining set to none | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: Setup Python | |
| uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
| with: | |
| python-version: ${{ vars.PYTHON_VERSION }} | |
| - name: Get changed notebooks | |
| id: get-changed-notebooks | |
| uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 | |
| with: | |
| separator: " " # nbconvert accepts space separated file list | |
| safe_output: false # binding to env below | |
| files: | | |
| **/*.ipynb | |
| - name: Install Bandit | |
| id: install-bandit | |
| run: | | |
| python --version | |
| python -m pip install --upgrade pip | |
| pip install bandit | |
| echo "BANDIT_ARTIFACT=$ARTIFACT_ROOT.$PR_NUMBER.json" >> "$GITHUB_ENV" | |
| - name: Install nbconvert | |
| if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }} | |
| run: pip install nbconvert ipython | |
| - name: Convert Jupyter notebooks | |
| if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }} | |
| env: | |
| ADDED_FILES: ${{ steps.get-changed-notebooks.outputs.all_changed_files }} | |
| run: | | |
| jupyter nbconvert --allow-errors --sanitize-html --to script $ADDED_FILES | |
| - name: Perform Bandit Analysis | |
| id: bandit-run | |
| run: bandit --format json -o $BANDIT_ARTIFACT --confidence-level high --severity-level high -r . | |
| - name: Upload bandit artifact for PR review | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: ${{ env.BANDIT_ARTIFACT }} | |
| path: ${{ env.BANDIT_ARTIFACT }} | |
| overwrite: true | |
| retention-days: 14 | |