ci: fix pip-audit — restore --local, explicitly ignore pip's own CVE

-r requirements.txt causes pip-audit to spawn an internal venv which calls ensurepip, failing with exit 127 on the standalone Python build. --local avoids the venv. CVE-2026-3219 is in pip itself (not our deps) so we ignore it explicitly with --ignore-vuln. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-26 15:46:16 -04:00
parent 407e66e499
commit 8effb24761
1 changed files with 6 additions and 3 deletions
@@ -60,12 +60,15 @@ jobs:
          # Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary
          curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \
            | tar -xz -C /opt
+          # Install bot deps + pip-audit into the same env; --local below avoids
+          # pip-audit creating an internal venv (ensurepip fails on standalone builds)
          /opt/python/bin/pip install --upgrade pip setuptools
-          /opt/python/bin/pip install pip-audit
+          /opt/python/bin/pip install pip-audit -r matrixbot/requirements.txt

      - name: Audit matrixbot dependencies
-        # Audit only our declared dependencies, not pip-audit itself or pip
-        run: /opt/python/bin/pip-audit -r matrixbot/requirements.txt
+        # --local scans the env without spawning a venv (required for standalone Python)
+        # CVE-2026-3219 is in pip itself, not our code — ignore it explicitly
+        run: /opt/python/bin/pip-audit --local --ignore-vuln CVE-2026-3219

  secret-scan:
    name: Secret scan (gitleaks)