ci: Add pip-audit security scanner

[mansenfranzen]

Type

enhancement, tests

---

Description

• Renamed workflows to more descriptive titles for clarity.
• Introduced security scanning in test workflows to enhance security checks.
• Added pip-audit as a new dependency for security vulnerability scanning.
• Configured new test environments in tox.ini for running security scans.

---

Changes walkthrough

	Relevant files
Enhancement	pr-agent.yml Rename PR Agent Workflow                                                                  .github/workflows/pr-agent.yml Renamed workflow to "AGENT: Pull request and issue AI agent". +1/-1      release-please.yml Rename Release Workflow                                                                    .github/workflows/release-please.yml Renamed workflow to "RELEASE: Changelog Update, Tagging, and PyPI Upload". +1/-1      pyproject.toml Add Security Dependencies and Configuration                            pyproject.toml Added pip-audit as an optional security dependency. Added a new security extras section. +5/-0
Tests	tests-push-pr.yml Update Test Workflow and Add Security Scanning                      .github/workflows/tests-push-pr.yml Renamed workflow to "TESTS: Push/Pull". Added a new job for security scanning with different configurations. +17/-1    tests-scheduled.yml Update Scheduled Test Workflow and Add Security Scanning  .github/workflows/tests-scheduled.yml Renamed workflow to "TESTS: Scheduled". Added a new security scanning job scheduled to run with different configurations. +17/-1    tox.ini Configure Security Scanning Environments                                  tox.ini Added new security-scan-{lib,dev} environments. Defined new test environments for security scanning. +14/-1

---

✨ PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[github-actions]

PR Description updated to latest commit (eee8edd)

[github-actions]

PR Review

⏱️ Estimated effort to review [1-5]	2, because the PR involves straightforward changes such as renaming workflows, adding dependencies, and configuring test environments. The changes are well-documented and structured, making it easier to review.
🧪 Relevant tests	Yes
🔍 Possible issues	Possible Bug: In the tox.ini file, the security-scan{lib,dev} environment might not correctly handle the scandev extras due to a typo. It should be scan-dev to match the environment names.
🔒 Security concerns	No

Code feedback:

---

relevant file	.github/workflows/tests-push-pr.yml
suggestion	Consider adding a step to cache dependencies in the security-scan job to improve the speed of the workflow. This can be done using the actions/cache GitHub Action. [important]
relevant line	- name: Setup Test Environment and Run Tox

---

relevant file	.github/workflows/tests-scheduled.yml
suggestion	Ensure consistency in the naming of the tox-environment for the security-scan job. The environment name should be security-scan-${{ matrix.scan }} to match the matrix strategy. [important]
relevant line	tox-environment: security-scan-${{ matrix.scan }}

---

relevant file	tox.ini
suggestion	Correct the environment extras for security-scan{lib,dev} to ensure proper conditional inclusion of extras based on the environment. Use scan-dev instead of scandev. [important]
relevant line	scandev: test

---

relevant file	pyproject.toml
suggestion	Specify a more precise version range for pip-audit to avoid potential compatibility issues with future major releases. For example, use ^2.7.2 to ^2.x.x. [medium]
relevant line	pip-audit = { version = "^2.7.2", optional = true }

---

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.

The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.

• When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

• With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

See the review usage page for a comprehensive guide on using this tool.

[github-actions]

PR Code Suggestions

Category	Suggestions
Bug	Correct the interpolation of the matrix variable in the tox-environment to match the defined environments. The tox-environment variable in the with block should correctly interpolate the matrix variable for the security scan. Replace security-scan${{ matrix.scan }} with security-scan-${{ matrix.scan }} to match the environment names defined in tox.ini. .github/workflows/tests-push-pr.yml [139] -tox-environment: security-scan${{ matrix.scan }} +tox-environment: security-scan-${{ matrix.scan }}
	Ensure consistent naming conventions in the tox-environment. Ensure consistent naming conventions in the tox-environment by using a hyphen instead of a colon for the security-scan environment. Replace security-scan-${{ matrix.scan }} with security-scan-{lib,app} to match the environment names defined in tox.ini. .github/workflows/tests-scheduled.yml [46] -tox-environment: security-scan-${{ matrix.scan }} +tox-environment: security-scan-{lib,app}
Enhancement	Add missing environments to match those used in GitHub Actions workflows. Add missing environments for security-scan-lib and security-scan-dev in the tox.ini file to match the environments used in GitHub Actions workflows. This ensures that the correct environments are available for use. tox.ini [10] -security-scan-{lib,dev} +security-scan-lib +security-scan-dev
Best practice	Add a failure step to handle errors during the security scan. Add a failure step to handle errors gracefully during the security scan. This step should include error handling logic to provide feedback and potential remediation steps if the security scan fails. .github/workflows/tests-push-pr.yml [136-140] - name: Setup Test Environment and Run Tox uses: ./.github/actions/invoke-tox with: tox-environment: security-scan-${{ matrix.scan }} install-graphviz: true + if: failure() + run: echo "Security scan failed. Check logs for details."
Performance	Introduce caching for dependencies to improve build times and reduce bandwidth usage. Introduce caching for dependencies in the GitHub Actions workflow to improve build times and reduce bandwidth usage. This can be achieved by using the actions/cache action before setting up the test environment. .github/workflows/tests-scheduled.yml [40-41] +- name: Cache dependencies + uses: actions/cache@v3 + with: + path: ~/.cache/pip + key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + restore-keys: | + ${{ runner.os }}-pip- - name: Checkout uses: actions/checkout@v4

---

✨ Improve tool usage guide:

---

Overview:
The improve tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.

• When commenting, to edit configurations related to the improve tool (pr_code_suggestions section), use the following template:

/improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=...

• With a configuration file, use the following template:

[pr_code_suggestions]
some_config1=...
some_config2=...

See the improve usage page for a comprehensive guide on using this tool.