Skip to content

cuda_core: add "10 minutes to cuda.core" tutorial to docs #4386

cuda_core: add "10 minutes to cuda.core" tutorial to docs

cuda_core: add "10 minutes to cuda.core" tutorial to docs #4386

Workflow file for this run

# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0
name: "Static Analysis: Bandit Scan"
on:
push:
branches:
- "pull-request/[0-9]+"
- "ctk-next"
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: false
- name: Get ignore codes
id: ignore-codes
# This are computed so that we can run only the `S` (bandit)
# checks. Passing --select to ruff overrides any config files
# (ruff.toml, pyproject.toml, etc), so to avoid having keep everything
# in sync we grab them from the TOML programmatically
run: |
set -euxo pipefail
echo "codes=$(uvx toml2json ./ruff.toml | jq -r '.lint.ignore | map(select(test("^S\\d+"))) | join(",")')" >> "$GITHUB_OUTPUT"
- name: Perform Bandit Analysis using Ruff
uses: astral-sh/ruff-action@0ce1b0bf8b818ef400413f810f8a11cdbda0034b # v4.0.0
with:
args: "check --select S --ignore ${{ steps.ignore-codes.outputs.codes }} --output-format sarif --output-file results.sarif"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: results.sarif