diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 1680f9a..14ea4ec 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -128,6 +128,27 @@ jobs: run: | grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}") + selftest-locked: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: ./ + id: pip-audit + with: + # should attempt to discover test/pylock/pylock.toml + inputs: test/pylock/ + locked: true + # NOTE: We intentionally allow failure here, since the self-test + # explicitly uses a vulnerable requirements file. + internal-be-careful-allow-failure: true + - name: assert expected output + env: + PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}" + run: | + grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}") + all-selftests-pass: if: always() diff --git a/README.md b/README.md index c5fb4bb..a0c2200 100644 --- a/README.md +++ b/README.md @@ -270,6 +270,21 @@ Example no-deps: true ``` +### `locked` + +**Default**: `false` + +The `locked` setting enables audits of lock files (`pylock.*.toml`) from the local Python project. + +Example + +```yaml +- uses: pypa/gh-action-pip-audit@v1.1.0 + with: + inputs: path/to/project/ + locked: true +``` + ### Internal options
⚠️ Internal options ⚠️ diff --git a/action.py b/action.py index b49955f..22b2cb2 100755 --- a/action.py +++ b/action.py @@ -106,6 +106,10 @@ def _fatal_help(msg): ] ) +locked = os.getenv("GHA_PIP_AUDIT_LOCKED", "false") != "false" +if locked: + pip_audit_args.append("--locked") + # If inputs is empty, we let `pip-audit` run in "`pip list` source" mode by not # adding any explicit input argument(s). # Otherwise, we handle either exactly one project path (a directory) @@ -123,6 +127,8 @@ def _fatal_help(msg): else: if not input_.is_file(): _fatal_help(f"input {input_} does not look like a file") + if locked: + _fatal_help("locked only applies to audits of project paths") pip_audit_args.extend(["--requirement", input_]) _debug(f"running: pip-audit {[str(a) for a in pip_audit_args]}") diff --git a/action.yml b/action.yml index 73cf61c..567f80e 100644 --- a/action.yml +++ b/action.yml @@ -46,6 +46,10 @@ inputs: description: "disable pip" required: false default: false + locked: + description: "audit lock files from the local Python project" + required: false + default: false internal-be-careful-allow-failure: description: "don't fail the job if the audit fails (default false)" required: false @@ -88,6 +92,7 @@ runs: GHA_PIP_AUDIT_EXTRA_INDEX_URLS: "${{ inputs.extra-index-urls }}" GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}" GHA_PIP_DISABLE_PIP: "${{ inputs.disable-pip }}" + GHA_PIP_AUDIT_LOCKED: "${{ inputs.locked }}" GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}" GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{ inputs.internal-be-careful-extra-flags }}" shell: bash diff --git a/test/pylock/pylock.toml b/test/pylock/pylock.toml new file mode 100644 index 0000000..f6064e3 --- /dev/null +++ b/test/pylock/pylock.toml @@ -0,0 +1,13 @@ +lock-version = "1.0" +created-by = "pip" + +[[packages]] +name = "pyyaml" +version = "5.1" + +[packages.sdist] +name = "PyYAML-5.1.tar.gz" +url = "https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz" + +[packages.sdist.hashes] +sha256 = "436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95"