From 8effb247616f10cc9d5743e70287c84d37a671fd Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Sun, 26 Apr 2026 15:46:16 -0400 Subject: [PATCH] =?UTF-8?q?ci:=20fix=20pip-audit=20=E2=80=94=20restore=20-?= =?UTF-8?q?-local,=20explicitly=20ignore=20pip's=20own=20CVE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -r requirements.txt causes pip-audit to spawn an internal venv which calls ensurepip, failing with exit 127 on the standalone Python build. --local avoids the venv. CVE-2026-3219 is in pip itself (not our deps) so we ignore it explicitly with --ignore-vuln. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/lint.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml index 6966774..cf1d32d 100644 --- a/.gitea/workflows/lint.yml +++ b/.gitea/workflows/lint.yml @@ -60,12 +60,15 @@ jobs: # Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \ | tar -xz -C /opt + # Install bot deps + pip-audit into the same env; --local below avoids + # pip-audit creating an internal venv (ensurepip fails on standalone builds) /opt/python/bin/pip install --upgrade pip setuptools - /opt/python/bin/pip install pip-audit + /opt/python/bin/pip install pip-audit -r matrixbot/requirements.txt - name: Audit matrixbot dependencies - # Audit only our declared dependencies, not pip-audit itself or pip - run: /opt/python/bin/pip-audit -r matrixbot/requirements.txt + # --local scans the env without spawning a venv (required for standalone Python) + # CVE-2026-3219 is in pip itself, not our code — ignore it explicitly + run: /opt/python/bin/pip-audit --local --ignore-vuln CVE-2026-3219 secret-scan: name: Secret scan (gitleaks)