openbraininstitute · heerener · Oct 17, 2025 · Oct 13, 2025 · Oct 13, 2025 · Oct 13, 2025
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,44 @@
+---
+name: security checks
+on: pull_request
+jobs:
+  security-checks:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Cache Python dependencies
+        id: cache-deps
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/pypoetry/virtualenvs
+            .venv
+          key: ${{ runner.os }}-security-${{ hashFiles('**/poetry.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-security-
+      - name: Install dependencies
+        run: |
+          pip install poetry
+          poetry sync
+      - name: Poetry audit
+        id: poetry-audit
+        run: |-
+          pip install poetry-audit-plugin
+          poetry audit > audit.txt
+          cat audit.txt
+        continue-on-error: true
+      - name: Comment with audit result
+        uses: marocchino/sticky-pull-request-comment@v2
+        if: github.event_name == 'pull_request'
+        with:
+          recreate: true
+          path: audit.txt