Update dependency dev/pytest-cov to v5 #1285

	name: CVE Scan

	on:
	push:
	# Workflows triggered by Dependabot on the "push" event run with read-only access.
	# Uploading Code Scanning results requires write access. We therefore only use the
	# "pull_request" trigger for Dependabot branches.
	branches-ignore:
	- 'dependabot/**'
	pull_request:
	types:
	- opened
	- reopened
	- synchronize
	schedule:
	- cron: '0 0 * * *'
	workflow_dispatch:

	jobs:
	scan:
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- name: Checkout repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Cache requirements
	uses: actions/cache@v4
	env:
	cache-name: cache-requirements
	with:
	path: ~/.cache/pip
	key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}
	restore-keys: \|
	${{ env.cache-name }}-

	- name: Cache environment
	uses: actions/cache@v4
	env:
	cache-name: cache-environment
	with:
	path: ~/.cache/pip
	key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}
	restore-keys: \|
	${{ env.cache-name }}-

	- name: Setup python
	uses: actions/setup-python@v5
	with:
	python-version: 3.11

	- name: Install requirements
	run: make setup

	- name: Export dependencies
	run: \|
	mkdir --parents pdm
	pdm export-all > pdm/requirements.txt

	- name: Run trivy
	uses: aquasecurity/trivy-action@master
	with:
	format: 'sarif'
	list-all-pkgs: 'true'
	output: 'trivy-results.sarif'
	scan-ref: '.'
	scan-type: 'fs'
	severity: 'MEDIUM,HIGH,CRITICAL'

	- name: Publish results
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback