.gitea/workflows/pr-check.yml

@@ -1,10 +1,12 @@
 name: PR Checks
 
 on:
-  push:
-    branches: ['**']
   pull_request:
-    branches: ['**']
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -90,15 +92,24 @@ jobs:
         env:
           UV_NO_PROGRESS: "1"
         run: |
-          uv pip compile pyproject.toml --no-dev -o requirements-prod.txt && uv run pip-audit --format json --output audit-results.json -r requirements-prod.txt && test ! -s audit-results.json || test "$(cat audit-results.json)" = "[]"
-      
-      - name: Upload audit log
-        uses: actions/upload-artifact@v3
-        if: failure()
-        with:
-          name: security-audit
-          path: audit-results.json
-          retention-days: 7
+          echo "Running pip-audit on production dependencies..."
+          # Audit only production dependencies (exclude dev)
+          uv pip compile pyproject.toml --no-dev -o requirements-prod.txt
+          uv run pip-audit --format json --output audit-results.json -r requirements-prod.txt || true
+          
+          # Parse and display results
+          if [ -s audit-results.json ] && [ "$(cat audit-results.json)" != "[]" ]; then
+            echo "❌ Found vulnerabilities in production dependencies:"
+            uv run python -c "
+import json
+data = json.load(open('audit-results.json'))
+for vuln in data:
+    print(f\"  - {vuln.get('name', 'unknown')} {vuln.get('version', '')}: {vuln.get('id', '')}\")
+"
+            exit 1
+          else
+            echo "✅ No vulnerabilities in production dependencies"
+          fi
       
       - name: Check for secrets
         run: |