fix(ci): audit only project deps in pip-audit, not runner environment

Hustle · Hustle · commit 0b707939ca98 · 2026-03-26T18:24:38.000+01:00
pip-audit without -r flag audits the full runner environment, including
pre-installed packages like pygments that are not project dependencies.
This caused false positive security failures unrelated to webstatuspi.

Now audits only requirements.txt and requirements-dev.txt.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -26,11 +26,11 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install pip-audit
-          # Install only the dependencies, not the local package
-          pip install PyYAML requests
 
       - name: Run pip-audit
-        run: pip-audit --strict --progress-spinner off
+        # Audit only project dependencies (requirements.txt), not the full runner environment.
+        # This avoids false positives from pre-installed system packages like pygments.
+        run: pip-audit --strict --progress-spinner off -r requirements.txt -r requirements-dev.txt
 
   codeql:
     runs-on: ubuntu-latest
