.github/workflows/security.yml

name: Security-check

on:
  push:
    branches:
      - main
    paths:
      - "**.py"
      - ".github/workflows/*.yml"

jobs:
  Security-check:
    runs-on: ubuntu-latest
    strategy:
      max-parallel: 1
      matrix:
        python-version: [3.8]

    steps:
      - uses: actions/checkout@v2

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v2
        with:
          python-version: ${{ matrix.python-version }}
      - name: Upgrade pip
        run: |
          pip install --upgrade --user pip
      - name: Get pip cache dir
        id: pip-cache
        run: |
          echo "::set-output name=dir::$(pip cache dir)"
      - name: pip cache
        uses: actions/cache@v2
        with:
          path: ${{ steps.pip-cache.outputs.dir }}
          key: ${{ runner.os }}-pip-py${{ matrix.python-version }}-${{ hashFiles('**/requirements.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-py${{ matrix.python-version }}-
      - name: Install dependencies
        run: |
          hash -r
          pip install -r requirements.dev.txt
          pip install -e .

      - id: file_changes  # get changed files.
        uses: trilom/file-changes-action@v1.2.3
        with:
          output: ' '

      - uses: pre-commit/action@v2.0.0
        with:
          extra_args: --files ${{ steps.file_changes.outputs.files}}  # apply only to changed files.

      - name: Scan for security issues
        run: |
          bandit -r src
          safety check

      - name: Snyk security check
        uses: snyk/actions/python-3.8@master
        env:
          SNYK_TOKEN: ${{secrets.SNYK_TOKEN}}
        with:
          args: --skip-unresolved