FileNotFoundError: [WinError 2] The system cannot find the file specified

[tov101]

Current behavior

I've tried a lot of combinations with this action, and I honestly don't figure out how to configure it properly.

If I'm using virtual-environment without local I get:

D:\Tools\actions-runner\_work\_tool\Python\3.12.10\x64\python.exe: No module named pip_audit`

Why isn't just activating the environment and install package inside it and run?

If I add local: true, or I'm using configuration from below:

      - name: Install Python Packages
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit tox

      - name: Security checks
        run: |
          tox run -e security

      - name: Pip Audit
        env:
          PIPAPI_PYTHON_LOCATION: .tox/security
        uses: pypa/gh-action-pip-audit@v1.1.0
        with:
          virtual-environment: .tox/security/
          index-url: http://iasp026a.cw01.contiwan.com:9000
          extra-index-urls: https://pypi.python.org/simple

I get the following traceback:

Run # NOTE: Sourced, not executed as a script.

Name | Skip Reason
--- | ---
github-publish | Dependency not found on PyPI and could not be audited: github-publish (1.0.2)

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\__main__.py", line 6, in <module>
    from pip_audit._cli import audit
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_cli.py", line 18, in <module>
    from pip_audit._audit import AuditOptions, Auditor
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_audit.py", line 11, in <module>
    from pip_audit._dependency_source import DependencySource
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_dependency_source\__init__.py", line 5, in <module>
    from .interface import (
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_dependency_source\interface.py", line 11, in <module>
    from pip_audit._fix import ResolvedFixVersion
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_fix.py", line 14, in <module>
    from pip_audit._service import (
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_service\__init__.py", line 14, in <module>
    from .osv import OsvService
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_service\osv.py", line 15, in <module>
    from pip_audit._cache import caching_session
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_audit\_cache.py", line 16, in <module>
    import pip_api
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_api\__init__.py", line 9, in <module>
    PIP_VERSION: Version = packaging_version.parse(version())  # type: ignore
                                                   ^^^^^^^^^
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_api\_version.py", line 5, in version
    result = call("--version")
             ^^^^^^^^^^^^^^^^^
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\site-packages\pip_api\_call.py", line 9, in call
    result = subprocess.check_output(
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\subprocess.py", line 466, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\subprocess.py", line 548, in run
    with Popen(*popenargs, **kwargs) as process:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\subprocess.py", line 1026, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "D:\tools\actions-runner\_work\_tool\Python\3.12.10\x64\Lib\subprocess.py", line [153](https://github.geo.conti.de/C-Test-Iasi/DAXil/actions/runs/1031644/job/13427235#step:6:156)8, in _execute_child
    hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [WinError 2] The system cannot find the file specified

Expected behavior

I guess I would need support first to configure properly the action.
I expect after that to have all packages that are installed in my venv to be audited.

Steps to reproduce

Any of these configs leads to the same traceaback:

      - name: Install Python Packages
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit tox

      - name: Security checks
        run: |
          tox run -e security

      - name: Pip Audit
        env:
          PIPAPI_PYTHON_LOCATION: .tox/security
        uses: pypa/gh-action-pip-audit@v1.1.0
        with:
          virtual-environment: .tox/security/

or

      - name: Install Python Packages
        run: |
          python -m pip install --upgrade pip
          pip install tox

      - name: Security checks
        run: |
          tox run -e security

      - name: Pip Audit
        env:
          PIPAPI_PYTHON_LOCATION: .tox/security
        uses: pypa/gh-action-pip-audit@v1.1.0
        with:
          local: true
          virtual-environment: .tox/security/

Relevant context

Unfortunately I could not provide any link because I'm executing this workflow on internal github.
But simply I would need to audit the packages that are installed on a venv. Packages installed on this venv, can be public on pypi or internal.

[woodruffw]

Hi @tov101, thanks for opening an issue. I'll be able to triage this later today.

[tov101]

Any feedback on this topic?