Merge branch 'safety-only-with-api-key' into 'master'

Safety only with API key See merge request fdroid/fdroidserver!1514
2024-11-10 17:30:11 +01:00 · 2024-09-09 15:52:46 +00:00 · 2024-09-09 15:52:46 +00:00 · 72a0ad81b8
commit 72a0ad81b8
parent adf9dcb93e b669ce654d
2 changed files with 11 additions and 8 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -262,18 +262,21 @@ lint_format_bandit_checks:
 # so important to scan that kind of install in CI.
 # https://docs.safetycli.com/safety-docs/installation/gitlab
 safety:
-  only:
-    changes:
-      - .gitlab-ci.yml
-      - .safety-policy.yml
-      - pyproject.toml
-      - setup.py
  image: debian:bookworm-slim
+  rules:
+    # once only:/changes: are ported to rules:, this could be removed:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "push" && $SAFETY_API_KEY
+      changes:
+        - .gitlab-ci.yml
+        - .safety-policy.yml
+        - pyproject.toml
+        - setup.py
  <<: *apt-template
  variables:
    LANG: C.UTF-8
  script:
-    - test -n "$SAFETY_API_KEY" || exit 0
    - apt-get install
        fdroidserver
        python3-biplist
--- a/.safety-policy.yml
+++ b/.safety-policy.yml
@ -39,7 +39,7 @@ report:
          reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
          expires: '2026-08-31'
        72236:
-          reason: setuptools comes from Debian
+          reason: setuptools is not used in production to download or install packages, they come from Debian.
          expires: '2026-08-31'

 fail-scan-with-exit-code: