name: Security Audit on: # Run on every push to main/master push: branches: - main - master # Run on all pull requests pull_request: # Run daily at 9 AM UTC schedule: - cron: "0 9 * * *" # Allow manual trigger workflow_dispatch: jobs: security-audit: name: Security Vulnerability Audit runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: "22" - name: Setup pnpm uses: pnpm/action-setup@v4 with: version: "10.25.0" - name: Get pnpm store directory id: pnpm-cache shell: bash run: | echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT - name: Setup pnpm cache uses: actions/cache@v4 with: path: ${{ steps.pnpm-cache.outputs.STORE_PATH }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} restore-keys: | ${{ runner.os }}-pnpm-store- - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run security audit id: audit run: | # Run audit and capture exit code pnpm audit --audit-level=high || echo "AUDIT_FAILED=true" >> $GITHUB_OUTPUT # Generate detailed report pnpm audit --json > audit-report.json || true - name: Parse audit results if: steps.audit.outputs.AUDIT_FAILED == 'true' run: | echo "⚠️ Security vulnerabilities detected!" echo "Please review the audit report and update vulnerable packages." pnpm audit exit 1 - name: Upload audit report if: always() uses: actions/upload-artifact@v4 with: name: security-audit-report path: audit-report.json retention-days: 30 dependency-review: name: Dependency Review runs-on: ubuntu-latest # Only run on pull requests if: github.event_name == 'pull_request' steps: - name: Checkout code uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: high deny-licenses: GPL-2.0, GPL-3.0 codeql-analysis: name: CodeQL Security Analysis runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: ["javascript", "typescript"] steps: - name: Checkout code uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" outdated-dependencies: name: Check Outdated Dependencies runs-on: ubuntu-latest # Only run on schedule or manual trigger if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: "22" - name: Setup pnpm uses: pnpm/action-setup@v4 with: version: "10.25.0" - name: Check for outdated dependencies run: | pnpm outdated --recursive || true pnpm outdated --recursive > outdated-report.txt || true - name: Upload outdated report uses: actions/upload-artifact@v4 with: name: outdated-dependencies-report path: outdated-report.txt retention-days: 7 - name: Create issue for outdated dependencies if: github.event_name == 'schedule' uses: actions/github-script@v7 with: script: | const fs = require('fs'); const report = fs.readFileSync('outdated-report.txt', 'utf8'); if (report.trim()) { await github.rest.issues.create({ owner: context.repo.owner, repo: context.repo.repo, title: `Outdated Dependencies Report - ${new Date().toISOString().split('T')[0]}`, body: `## 📦 Outdated Dependencies Report\n\nThe following dependencies are outdated:\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and update as needed.`, labels: ['dependencies', 'security'] }); }