Skip to content

Make pip-audit in CI optional via configuration#31

Merged
tsvikas merged 3 commits into
mainfrom
claude/remove-pip-audit-lockfile-7uzm1
May 14, 2026
Merged

Make pip-audit in CI optional via configuration#31
tsvikas merged 3 commits into
mainfrom
claude/remove-pip-audit-lockfile-7uzm1

Conversation

@tsvikas
Copy link
Copy Markdown
Owner

@tsvikas tsvikas commented May 14, 2026

Summary

This change makes the pip-audit job in the weekly CI workflow optional by introducing a new audit_in_ci configuration option in copier.yml. The pip-audit job and its associated failure notification logic are now conditionally included based on this setting.

Key Changes

  • Added audit_in_ci boolean configuration option to copier.yml (defaults to false)
    • Includes documentation explaining that pip-audit is primarily relevant for developer safety, while downstream consumers resolve their own dependencies
    • Notes that GitHub Dependabot alerts and just deps-audit are always available alternatives
  • Wrapped the entire pip-audit job in the workflow template with a conditional Jinja2 block ({%- if audit_in_ci %}...{%- endif %})
  • Removed the permissions: issues: write declaration from the pip-audit job (no longer needed when job is optional)
  • Removed the "Create failure issue" step that was responsible for creating/updating GitHub issues on audit failures

Implementation Details

The conditional wrapping ensures that when audit_in_ci is false, the pip-audit job and all its associated infrastructure (including issue creation logic) are completely excluded from the generated workflow file. This allows projects to opt-in to this security check rather than having it enabled by default.

https://claude.ai/code/session_01AhNeEPbEPMvNMkT268pd3n

claude added 3 commits May 13, 2026 13:39
@claude
✨ Add audit_in_ci copier option, default off
a5e4353 
Make pip-audit in CI opt-in. Default (false) drops the pip-audit step
from ci.yml and the pip-audit job from weekly-ci.yml -- rely on GitHub
Dependabot alerts and run `just deps-audit` locally instead. When
enabled, audit runs on the full locked set without filing an issue
on failure; the failed workflow run is the signal.
@claude
🔥 Drop weekly pip-audit job, clarify audit_in_ci help
2d8a43a 
The weekly pip-audit job re-ran against an unchanged lockfile and
generated noisy issues whenever a new CVE was disclosed. Remove it
entirely; the per-PR/push audit step (still gated by audit_in_ci)
already covers actual dependency changes. Expand the option's help
text to note that the audit only covers locked deps, which are
irrelevant to downstream consumers.
@claude
♻️ Scope audit_in_ci to the weekly job
be868dc 
The per-PR/push pip-audit step in ci.yml only fires when the lockfile
changes, so it's cheap and accurate -- keep it always on. The weekly
audit re-scans an unchanged lockfile against newly-disclosed CVEs and
is the noisy one; gate that behind audit_in_ci instead. Drop its
issue-creation step (failed workflow run is the signal).
sourcery-ai[bot]
sourcery-ai Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@tsvikas tsvikas merged commit 008a3c7 into main May 14, 2026
5 checks passed
@tsvikas tsvikas deleted the claude/remove-pip-audit-lockfile-7uzm1 branch May 14, 2026 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tsvikas @claude