feat: support --locked flag

.github/workflows/selftest.yml

@@ -128,6 +128,27 @@ jobs:
         run: |
           grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
 
+  selftest-locked:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./
+        id: pip-audit
+        with:
+          # should attempt to discover test/pylock/pylock.toml
+          inputs: test/pylock/
+          locked: true
+          # NOTE: We intentionally allow failure here, since the self-test
+          # explicitly uses a vulnerable requirements file.
+          internal-be-careful-allow-failure: true
+      - name: assert expected output
+        env:
+          PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
+        run: |
+          grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+
   all-selftests-pass:
     if: always()
 

README.md

@@ -270,6 +270,21 @@ Example
     no-deps: true
 ```
 
+### `locked`
+
+**Default**: `false`
+
+The `locked` setting enables audits of lock files (`pylock.*.toml`) from the local Python project.
+
+Example
+
+```yaml
+- uses: pypa/[email protected]
+  with:
+    inputs: path/to/project/
+    locked: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>

action.py

@@ -106,6 +106,10 @@ def _fatal_help(msg):
     ]
 )
 
+locked = os.getenv("GHA_PIP_AUDIT_LOCKED", "false") != "false"
+if locked:
+    pip_audit_args.append("--locked")
+
 # If inputs is empty, we let `pip-audit` run in "`pip list` source" mode by not
 # adding any explicit input argument(s).
 # Otherwise, we handle either exactly one project path (a directory)
@@ -123,6 +127,8 @@ def _fatal_help(msg):
     else:
         if not input_.is_file():
             _fatal_help(f"input {input_} does not look like a file")
+        if locked:
+            _fatal_help("locked only applies to audits of project paths")
         pip_audit_args.extend(["--requirement", input_])
 
 _debug(f"running: pip-audit {[str(a) for a in pip_audit_args]}")

action.yml

@@ -46,6 +46,10 @@ inputs:
     description: "disable pip"
     required: false
     default: false
+  locked:
+    description: "audit lock files from the local Python project"
+    required: false
+    default: false
   internal-be-careful-allow-failure:
     description: "don't fail the job if the audit fails (default false)"
     required: false
@@ -88,6 +92,7 @@ runs:
         GHA_PIP_AUDIT_EXTRA_INDEX_URLS: "${{ inputs.extra-index-urls }}"
         GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}"
         GHA_PIP_DISABLE_PIP: "${{ inputs.disable-pip }}"
+        GHA_PIP_AUDIT_LOCKED: "${{ inputs.locked }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{ inputs.internal-be-careful-extra-flags }}"
       shell: bash

test/pylock/pylock.toml

@@ -0,0 +1,13 @@
+lock-version = "1.0"
+created-by = "pip"
+
+[[packages]]
+name = "pyyaml"
+version = "5.1"
+
+[packages.sdist]
+name = "PyYAML-5.1.tar.gz"
+url = "https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz"
+
+[packages.sdist.hashes]
+sha256 = "436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95"