Fix pyproject.toml: move dependencies back under [project] section #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SBOM + Dependency Audit | |
| on: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 6 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| sbom-and-audit: | |
| name: Generate SBOM & scan dependencies | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install project + tools | |
| run: | | |
| pip install . | |
| pip install pip-audit cyclonedx-bom pip-licenses | |
| - name: Generate CycloneDX SBOM (JSON) | |
| run: | | |
| cyclonedx-py environment \ | |
| --output-format json \ | |
| --outfile sbom-cyclonedx.json \ | |
| 2>&1 || cyclonedx-py --format json -o sbom-cyclonedx.json 2>&1 || true | |
| echo "CycloneDX SBOM generated" | |
| - name: Generate dependency list with licenses | |
| run: | | |
| pip-licenses --format=json --with-urls --with-description > dependencies-licenses.json | |
| pip-licenses --format=plain --with-urls | |
| echo "" | |
| echo "=== License summary ===" | |
| pip-licenses --summary | |
| - name: Audit dependencies for vulnerabilities | |
| run: | | |
| echo "=== Scanning all installed packages (including transitive) ===" | |
| pip-audit --desc --format=json --output=audit-report.json 2>&1 || true | |
| echo "" | |
| echo "=== Audit Results ===" | |
| pip-audit --desc 2>&1 || true | |
| - name: Count results | |
| run: | | |
| echo "=== Installed packages ===" | |
| pip list --format=columns | wc -l | |
| echo "" | |
| echo "=== Direct dependencies ===" | |
| python3 -c "import tomli; deps=tomli.load(open('pyproject.toml','rb'))['project']['dependencies']; print(f'{len(deps)} direct dependencies')" | |
| echo "" | |
| echo "=== Transitive dependencies ===" | |
| pip list --format=json | python3 -c "import sys,json; pkgs=json.load(sys.stdin); print(f'{len(pkgs)} total packages installed (direct + transitive)')" | |
| - name: Upload SBOM artifact | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-report | |
| path: | | |
| sbom-cyclonedx.json | |
| dependencies-licenses.json | |
| audit-report.json | |
| retention-days: 90 |