chore(gha): separate scheduled audit in separate workflow

Author: helmut-hoffer-von-ankershoffen

.github/workflows/_scheduled-audit.yml

@@ -0,0 +1,71 @@
+name: "Scheduled Audit"
+
+on:
+  workflow_call:
+    # No inputs needed at this time
+
+jobs:
+  audit-scheduled:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        with:
+          version: "0.6.3"
+          enable-cache: true
+          cache-dependency-glob: uv.lock
+
+      - name: Install dev tools
+        shell: bash
+        run: .github/workflows/_install_dev_tools.bash
+
+      - name: Install Python, venv and dependencies
+        shell: bash
+        run: uv sync --all-extras --frozen --link-mode=copy
+
+      - name: Create .env file
+        uses: SpicyPizza/create-envfile@ace6d4f5d7802b600276c23ca417e669f1a06f6f # v2.0.3
+        with:
+          envkey_AIGNOSTICS_LOGFIRE_TOKEN: "${{ secrets.AIGNOSTICS_LOGFIRE_TOKEN }}"
+          envkey_AIGNOSTICS_SENTRY_DSN: "${{ secrets.AIGNOSTICS_SENTRY_DSN }}"
+          envkey_AIGNOSTICS_API_ROOT: https://platform.aignostics.com
+          envkey_AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }}
+          envkey_AIGNOSTICS_CLIENT_ID_INTERACTIVE: ${{ secrets.AIGNOSTICS_CLIENT_ID_INTERACTIVE }}
+          envkey_AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }}
+          envkey_AIGNOSTICS_BUCKET_NAME: ${{ secrets.AIGNOSTICS_BUCKET_NAME }}
+          envkey_AIGNOSTICS_BUCKET_HMAC_ACCESS_KEY_ID: ${{ secrets.AIGNOSTICS_BUCKET_HMAC_ACCESS_KEY_ID }}
+          envkey_AIGNOSTICS_BUCKET_HMAC_SECRET_ACCESS_KEY: ${{ secrets.AIGNOSTICS_BUCKET_HMAC_SECRET_ACCESS_KEY }}
+          fail_on_empty: false
+
+      - name: Set up GCP credentials for bucket access
+        shell: bash
+        run: |
+          echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json
+          echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
+
+      - name: Audit
+        shell: bash
+        run: make audit
+
+      - name: Upload test results
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        if: ${{ always() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
+        with:
+          name: test-results-scheduled
+          path: |
+            reports/mypy_junit.xml
+            reports/sbom.json
+            reports/sbom.spdx
+            reports/licenses.csv
+            reports/licenses.json
+            reports/licenses_grouped.json
+            reports/vulnerabilities.json
+          retention-days: 7

.github/workflows/_scheduled-test.yml

@@ -51,10 +51,6 @@ jobs:
           echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json
           echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
 
-      - name: Audit
-        shell: bash
-        run: make audit
-
       - name: Test / scheduled
         env:
           BETTERSTACK_HEARTBEAT_URL: "${{ secrets.BETTERSTACK_HEARTBEAT_URL }}"
@@ -100,13 +96,6 @@ jobs:
         with:
           name: test-results-scheduled
           path: |
-            reports/mypy_junit.xml
-            reports/sbom.json
-            reports/sbom.spdx
-            reports/licenses.csv
-            reports/licenses.json
-            reports/licenses_grouped.json
-            reports/vulnerabilities.json
             reports/junit.xml
             reports/coverage.xml
             reports/coverage.md

.github/workflows/audit-scheduled.yml

@@ -0,0 +1,13 @@
+name: "Scheduled Audit"
+
+on:
+  schedule:
+    - cron: '0 * * * *'
+
+jobs:
+  audit-scheduled:
+    uses: ./.github/workflows/_scheduled-audit.yml
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit