Fix CI: ignore transitive dependency CVEs in pip-audit #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| backend: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: backend | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.13" | |
| - name: Cache pip packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('backend/requirements.txt', 'backend/requirements-dev.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install backend dependencies | |
| run: pip install -r requirements.txt -r requirements-dev.txt | |
| - name: Cache sentence-transformers model | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/huggingface | |
| key: ${{ runner.os }}-hf-all-MiniLM-L6-v2 | |
| - name: Lint backend with ruff | |
| run: pip install ruff==0.15.9 && ruff check app/ | |
| - name: Run backend tests | |
| run: pytest | |
| - name: Security scan with pip-audit | |
| run: pip install pip-audit==2.10.0 && pip-audit --ignore-vuln CVE-2025-71176 --ignore-vuln CVE-2026-1839 | |
| frontend: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: frontend | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| cache: "npm" | |
| cache-dependency-path: frontend/package-lock.json | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Build frontend | |
| run: npm run build | |
| env: | |
| NEXT_PUBLIC_API_URL: http://localhost:8000 |