PR #12681 removed the audit entirely because it fired on nearly every PR
(Dockerfile edits, dependency bumps, Actions version strings, plain
base64 usage, etc.) — reviewers were ignoring it like cancer warnings.
Restore it with aggressive scope reduction:
Kept (real attack signatures):
- .pth file additions (litellm-attack mechanism)
- base64 decode + exec/eval on the same line
- subprocess with base64/hex/chr-encoded command argument
- install-hook files (setup.py, sitecustomize.py, usercustomize.py,
__init__.pth)
Removed (low-signal noise that fired constantly):
- plain base64 encode/decode
- plain exec/eval
- outbound requests.post / httpx.post / urllib
- CI/CD workflow file edits
- Dockerfile / compose edits
- pyproject.toml / requirements.txt edits
- GitHub Actions version-tag unpinning
- marshal / pickle / compile usage
Also gates the workflow itself on path filters so it only runs on PRs
touching Python or install-hook files — no more firing on docs/CI PRs.
The workflow still fails the check and posts a PR comment on
critical findings, but by design those findings are now rare and
worth inspecting when they occur.
- Docker build only triggers on main push (code/config changes) and
releases, no longer on every PR
- Tests skip markdown-only and docs-only changes
- Remove supply-chain-audit workflow
The GITHUB_TOKEN for fork PRs is read-only — gh pr comment fails with
'Resource not accessible by integration'. This caused the supply chain
scan to show a red X on every fork PR even when no findings were detected.
The scan itself still runs and the 'Fail on critical findings' step
still exits 1 on real issues. Only the comment posting is gracefully
skipped for fork PRs.
Closes#6679
Co-authored-by: SHL0MS <SHL0MS@users.noreply.github.com>
