feat: spawner app + native uv support + deploy lifecycle fix #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Audit | |
| on: | |
| pull_request: | |
| paths: | |
| - "requirements.txt" | |
| - "requirements.lock" | |
| - "pyproject.toml" | |
| push: | |
| branches: [main] | |
| paths: | |
| - "requirements.txt" | |
| - "requirements.lock" | |
| - "pyproject.toml" | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly Monday 6am UTC β catch newly disclosed CVEs | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.11" | |
| - name: Install audit tools | |
| run: pip install pip-audit==2.9.0 uv==0.7.12 | |
| - name: Audit pinned dependencies | |
| run: | | |
| if [ -f requirements.lock ]; then | |
| echo "Auditing requirements.lock (pinned)..." | |
| # Strip hashes before auditing β pip-audit's pip backend chokes on | |
| # platform-conditional deps (greenlet) missing from the lockfile. | |
| # The hashes are verified at install time, not audit time. | |
| sed '/^[[:space:]]*--hash/d' requirements.lock > /tmp/requirements.lock.nohash | |
| pip-audit -r /tmp/requirements.lock.nohash --desc on | |
| else | |
| echo "::warning::No requirements.lock found β auditing requirements.txt (unpinned)" | |
| pip-audit -r requirements.txt --desc on | |
| fi | |
| - name: Check lockfile is up to date | |
| run: | | |
| uv pip compile requirements.txt -o /tmp/requirements.lock.check --generate-hashes | |
| if ! diff -q requirements.lock /tmp/requirements.lock.check > /dev/null 2>&1; then | |
| echo "::warning::requirements.lock is out of date. Run: uv pip compile requirements.txt -o requirements.lock --generate-hashes" | |
| fi | |
| - name: Audit npm packages | |
| run: | | |
| for pkg in opencode-ai @ai-sdk/openai @openai/codex @google/gemini-cli; do | |
| echo "--- Checking $pkg ---" | |
| npm view "$pkg" version 2>/dev/null || echo "::warning::Could not resolve $pkg" | |
| done |