ankhbayar/Assist_Design
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Assist_Design/.github/workflows/security.yml
barsa b1ff1e8fd3 Refactor GitHub Workflows to Consolidate Node and pnpm Setup 
- Unified Node.js and pnpm setup across deploy, pr-checks, and security workflows by introducing a custom action for streamlined configuration.
- Removed redundant setup steps to enhance workflow clarity and maintainability.
- Updated security workflow to include concurrency control for better job management.
2025-12-25 19:01:00 +09:00

141 lines
3.8 KiB
YAML
Raw Blame History

name: Security Audit
on:
# Run on every push to main/master
push:
branches:
- main
- master
# Run on all pull requests
pull_request:
# Run daily at 9 AM UTC
schedule:
- cron: "0 9 * * *"
# Allow manual trigger
workflow_dispatch:
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
security-audit:
name: Security Vulnerability Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node & pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run security audit
run: pnpm security:check
- name: Generate audit report (JSON)
if: always()
run: pnpm audit --json > audit-report.json || true
- name: Upload audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: security-audit-report
path: audit-report.json
retention-days: 30
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
# Only run on pull requests
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
deny-licenses: GPL-2.0, GPL-3.0
codeql-analysis:
name: CodeQL Security Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-and-quality
- name: Setup Node & pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build (for better CodeQL extraction)
run: pnpm build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript-typescript"
outdated-dependencies:
name: Check Outdated Dependencies
runs-on: ubuntu-latest
# Only run on schedule or manual trigger
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node & pnpm
uses: ./.github/actions/setup-node-pnpm
- name: Check for outdated dependencies
run: |
pnpm outdated --recursive || true
pnpm outdated --recursive > outdated-report.txt || true
- name: Upload outdated report
uses: actions/upload-artifact@v4
with:
name: outdated-dependencies-report
path: outdated-report.txt
retention-days: 7
- name: Create issue for outdated dependencies
if: github.event_name == 'schedule'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('outdated-report.txt', 'utf8');
if (report.trim()) {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Outdated Dependencies Report - ${new Date().toISOString().split('T')[0]}`,
body: `## 📦 Outdated Dependencies Report\n\nThe following dependencies are outdated:\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and update as needed.`,
labels: ['dependencies', 'security']
});
}
Reference in New Issue View Git Blame Copy Permalink