From cb8a8a06d766e3d6dbfd6e8020852993e4f760f1 Mon Sep 17 00:00:00 2001
From: Khaled Salhab <khaled.salhab@develeap.com>
Date: Wed, 6 May 2026 20:45:08 +0300
Subject: [PATCH] ci: audit runtime deps only in publish workflow

The 1.6.0 publish run failed at the pip-audit step on two CVEs in `pip`
itself, even though `pip` is not a runtime dependency of the published
`hyperping` wheel. The root cause was that pip-audit was scanning the
entire venv (which uv populates with build/dev tooling including pip)
instead of the dependency closure that users actually install.

Switch the publish-time audit to operate on a freshly exported
runtime-only requirements file (`uv export --no-dev --no-emit-project`).
This audits exactly what `pip install hyperping` would resolve to, and
silences env-only noise without ignoring real CVE IDs.

Local check:
    $ uv export --no-dev --no-emit-project --no-hashes \
        --format requirements.txt -o /tmp/req.txt
    $ uv run pip-audit -r /tmp/req.txt
    No known vulnerabilities found

ci.yml's audit step is `continue-on-error: true` and is unaffected; can
be tightened the same way in a follow-up.
---
 .github/workflows/publish.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index fcd7597..7b0befa 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,8 +16,17 @@ jobs:
       - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
         with: { python-version: "3.12" }
       - run: uv sync --all-extras
-      - name: Audit dependencies
-        run: uv run pip-audit
+      - name: Audit runtime dependencies
+        # Audit the runtime dependency closure (what users actually install
+        # via `pip install hyperping`), not the full venv. The venv contains
+        # build/dev tooling such as `pip` itself which is not shipped in the
+        # wheel; auditing the env conflates "vulnerabilities in our package"
+        # with "vulnerabilities in CI tooling" and produces release-blocking
+        # noise for CVEs that don't reach users.
+        run: |
+          uv export --no-dev --no-emit-project --no-hashes \
+            --format requirements.txt -o /tmp/runtime-requirements.txt
+          uv run pip-audit -r /tmp/runtime-requirements.txt
       - run: uv run pytest
       - run: uv build