Update generate CI workflow for pip-audit #412
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR enhances dependency management and CI workflow security by configuring pip-audit to analyze a comprehensive requirements file and improving Dependabot monitoring coverage.
- Replaces editable package installs with requirements-based installation in CI
- Implements pip-compile to generate a complete requirements file for pip-audit analysis
- Expands Dependabot monitoring to include
.github/utilsdirectory
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/ci_tests.yml |
Updates CI to use requirements file installation and adds pip-compile step for comprehensive pip-audit analysis |
.github/utils/requirements_ci.txt |
Introduces pip-tools dependency for CI requirements compilation |
.github/dependabot.yml |
Expands Dependabot monitoring to cover additional Python dependency directories |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Treesarj
approved these changes
Oct 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is something I missed to update in the recently merged PR for updating dependencies (#411).
AI summary
This pull request updates the project's dependency management and CI workflow to improve security auditing and dependency handling. The main changes include configuring Dependabot to monitor additional directories, updating CI requirements, and enhancing the pip-audit step in the workflow.
Dependency management improvements:
.github/dependabot.ymlto monitor both the root directory and.github/utilsfor Python dependencies, ensuring that all relevant requirements files are kept up to date.pip-tools==7.5.0to.github/utils/requirements_ci.txtto support deterministic dependency compilation in CI.CI workflow enhancements:
ci_tests.ymlworkflow to install dependencies from.github/utils/requirements_ci.txtinstead of using editable installs, and added a step to generate a complete requirements file for pip-audit usingpip-compile.Type of change
Checklist for the reviewer
This checklist should be used as a help for the reviewer.