mirror of
https://github.com/anthropics/claude-cookbooks.git
synced 2025-10-06 01:00:28 +03:00
4c1f9af8c6
Remove nbqa in favor of ruff's native Jupyter support (v0.6.0+). Replace papermill with nbconvert due to uv dependency resolution issues. Also remove S105/S106 ignores to enforce better security practices. - Update pyproject.toml to use ruff v0.12.12 with native notebook support - Replace papermill with nbconvert for notebook execution - Remove nbqa from all dependencies and pre-commit hooks - Update GitHub Actions workflows to use ruff directly - Remove hardcoded password ignores for better security - Update documentation to reflect simplified setup - Add dummy package structure for hatchling build system 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
32 lines
839 B
YAML
32 lines
839 B
YAML
name: Security Scan
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize]
|
|
push:
|
|
branches: [main]
|
|
schedule:
|
|
- cron: '0 0 * * MON' # Weekly scan
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
secret-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run Gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Check for hardcoded secrets in notebooks
|
|
run: |
|
|
! grep -r "sk-ant-" skills/ --include="*.ipynb" || \
|
|
(echo "❌ Found potential API key in notebook" && exit 1)
|
|
|
|
grep -r "os.environ\|getenv" skills/ --include="*.ipynb" || \
|
|
echo "⚠️ No environment variable usage found - ensure API keys are not hardcoded" |