test-security.yml

# Python 依存パッケージの脆弱性診断を定期的に行う
# NOTE: 公式 Action は API key 等を必要とするため利用しない（https://github.com/pyupio/safety-action/tree/main）

name: Test Security

on:
  schedule:
    - cron: "00 04 15 * *" # 毎月15日 13:00 JST
  workflow_dispatch:

env:
  PYTHON_VERSION: "3.11.9"

defaults:
  run:
    shell: bash

jobs:
  test-security:
    runs-on: ubuntu-20.04
    steps:
      - name: <Setup> Check out the repository
        uses: actions/checkout@v4

      - name: <Setup> Prepare Python Runtime / Python Dependencies
        uses: ./.github/actions/prepare_python
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: <Setup> Install Poetry
        run: python -m pip install poetry

      - name: <Setup> Cache Poetry
        uses: actions/cache@v4
        with:
          path: ~/.cache/pypoetry
          key: ${{ runner.os }}-${{ runner.arch }}-poetry-${{ hashFiles('**/poetry.lock') }}

      - name: <Setup> Install Python dependencies
        run: poetry install --with=dev

      - name: <Test> Check Python dependency security
        run: poetry run safety check --ignore 70612 -o bare

      # - name: <Deploy> Notify Discord of security testing result
      #   uses: sarisia/actions-status-discord@v1
      #   if: always()
      #   with:
      #     webhook: ${{ secrets.DISCORD_WEBHOOK_URL }}
      #     username: GitHub Actions
      #     title: "依存パッケージ脆弱性診断の結果"
      #     status: ${{ job.status }}
      #     color: ${{ job.status == 'success' && '0x00FF00' || '0xFF0000' }}
      #     url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"