name: Security Audit on: push: branches: [main, develop] pull_request: branches: [main, develop] schedule: # Run every Monday at 9:00 AM UTC - cron: "0 9 * * 1" workflow_dispatch: jobs: audit: name: Security Audit runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup pnpm uses: pnpm/action-setup@v4 with: version: 10.25.0 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 22 cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run security audit run: | echo "## 🔒 Security Audit Results" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY # Run audit and capture output if pnpm audit --audit-level=high 2>&1 | tee audit-output.txt; then echo "✅ No high or critical vulnerabilities found!" >> $GITHUB_STEP_SUMMARY else echo "⚠️ Vulnerabilities detected. See details below." >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY cat audit-output.txt >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY # Fail the workflow for high/critical vulnerabilities exit 1 fi - name: Check for outdated packages if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' run: | echo "" >> $GITHUB_STEP_SUMMARY echo "## 📦 Outdated Packages" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY pnpm outdated --recursive 2>&1 | head -100 >> $GITHUB_STEP_SUMMARY || true echo "\`\`\`" >> $GITHUB_STEP_SUMMARY codeql: name: CodeQL Analysis runs-on: ubuntu-latest permissions: security-events: write actions: read contents: read steps: - name: Checkout repository uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: javascript-typescript queries: security-and-quality - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:javascript-typescript"