540c0ba10c
- Upgraded `@eslint/js` and `eslint` to version 9.39.2 for improved linting capabilities. - Updated `zod` to version 4.2.0 in various dependencies to ensure compatibility and access to the latest features. - Standardized quotes in `pnpm-lock.yaml` and `pnpm-workspace.yaml` for consistency. - Removed obsolete `~$MPLETE-GUIDE.docx` file from the documentation directory.
174 lines
4.7 KiB
YAML
174 lines
4.7 KiB
YAML
name: Security Audit
|
|
|
|
on:
|
|
# Run on every push to main/master
|
|
push:
|
|
branches:
|
|
- main
|
|
- master
|
|
# Run on all pull requests
|
|
pull_request:
|
|
# Run daily at 9 AM UTC
|
|
schedule:
|
|
- cron: "0 9 * * *"
|
|
# Allow manual trigger
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security-audit:
|
|
name: Security Vulnerability Audit
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: "10.25.0"
|
|
|
|
- name: Get pnpm store directory
|
|
id: pnpm-cache
|
|
shell: bash
|
|
run: |
|
|
echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Setup pnpm cache
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
|
|
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pnpm-store-
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Run security audit
|
|
id: audit
|
|
run: |
|
|
# Run audit and capture exit code
|
|
pnpm audit --audit-level=high || echo "AUDIT_FAILED=true" >> $GITHUB_OUTPUT
|
|
|
|
# Generate detailed report
|
|
pnpm audit --json > audit-report.json || true
|
|
|
|
- name: Parse audit results
|
|
if: steps.audit.outputs.AUDIT_FAILED == 'true'
|
|
run: |
|
|
echo "⚠️ Security vulnerabilities detected!"
|
|
echo "Please review the audit report and update vulnerable packages."
|
|
pnpm audit
|
|
exit 1
|
|
|
|
- name: Upload audit report
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: security-audit-report
|
|
path: audit-report.json
|
|
retention-days: 30
|
|
|
|
dependency-review:
|
|
name: Dependency Review
|
|
runs-on: ubuntu-latest
|
|
# Only run on pull requests
|
|
if: github.event_name == 'pull_request'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@v4
|
|
with:
|
|
fail-on-severity: high
|
|
deny-licenses: GPL-2.0, GPL-3.0
|
|
|
|
codeql-analysis:
|
|
name: CodeQL Security Analysis
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: ["javascript", "typescript"]
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v3
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
queries: security-and-quality
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@v3
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v3
|
|
with:
|
|
category: "/language:${{matrix.language}}"
|
|
|
|
outdated-dependencies:
|
|
name: Check Outdated Dependencies
|
|
runs-on: ubuntu-latest
|
|
# Only run on schedule or manual trigger
|
|
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: "10.25.0"
|
|
|
|
- name: Check for outdated dependencies
|
|
run: |
|
|
pnpm outdated --recursive || true
|
|
pnpm outdated --recursive > outdated-report.txt || true
|
|
|
|
- name: Upload outdated report
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: outdated-dependencies-report
|
|
path: outdated-report.txt
|
|
retention-days: 7
|
|
|
|
- name: Create issue for outdated dependencies
|
|
if: github.event_name == 'schedule'
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const report = fs.readFileSync('outdated-report.txt', 'utf8');
|
|
|
|
if (report.trim()) {
|
|
await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: `Outdated Dependencies Report - ${new Date().toISOString().split('T')[0]}`,
|
|
body: `## 📦 Outdated Dependencies Report\n\nThe following dependencies are outdated:\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and update as needed.`,
|
|
labels: ['dependencies', 'security']
|
|
});
|
|
}
|