build(deps): bump github.com/andybalholm/brotli from 1.1.1 to 1.2.0 in /src/backend #264
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly Monday 6am UTC — full scan regardless of paths | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| changes: | |
| name: Detect Changes | |
| runs-on: k8s-personal | |
| timeout-minutes: 2 | |
| outputs: | |
| backend: ${{ steps.filter.outputs.backend }} | |
| frontend: ${{ steps.filter.outputs.frontend }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Detect changed paths | |
| uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| backend: | |
| - 'src/backend/**' | |
| - 'sdk/highlight-go/**' | |
| - 'go.work' | |
| - 'go.work.sum' | |
| frontend: | |
| - 'src/frontend/**' | |
| - 'sdk/**' | |
| - 'packages/**' | |
| - 'yarn.lock' | |
| - 'rrweb/**' | |
| codeql-go: | |
| name: CodeQL Analysis (go) | |
| needs: changes | |
| if: needs.changes.outputs.backend == 'true' || github.event_name == 'schedule' || github.event_name == 'push' | |
| runs-on: k8s-personal | |
| timeout-minutes: 15 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: go | |
| queries: security-extended | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'src/backend/go.mod' | |
| - name: Build Go | |
| run: go build ./src/backend/... | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: '/language:go' | |
| codeql-js: | |
| name: CodeQL Analysis (javascript-typescript) | |
| needs: changes | |
| if: needs.changes.outputs.frontend == 'true' || github.event_name == 'schedule' || github.event_name == 'push' | |
| runs-on: k8s-personal | |
| timeout-minutes: 15 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: '/language:javascript-typescript' | |
| dependency-audit: | |
| name: Dependency Audit | |
| runs-on: k8s-personal | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: lts/* | |
| - name: NPM audit | |
| run: yarn npm audit --all --severity moderate | |
| continue-on-error: true | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'src/backend/go.mod' | |
| - name: Go vulnerability check | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| cd src/backend && govulncheck ./... | |
| continue-on-error: true | |
| secret-scan: | |
| name: Secret Scanning | |
| runs-on: k8s-personal | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install TruffleHog | |
| run: | | |
| mkdir -p "$HOME/.local/bin" | |
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b "$HOME/.local/bin" | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| - name: TruffleHog scan | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| trufflehog git file://. --since-commit ${{ github.event.pull_request.base.sha }} --branch HEAD --only-verified --fail --no-update | |
| elif [ "${{ github.event_name }}" = "push" ] && [ -n "${{ github.event.before }}" ] && [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then | |
| trufflehog git file://. --since-commit ${{ github.event.before }} --only-verified --fail --no-update | |
| else | |
| trufflehog git file://. --only-verified --fail --no-update | |
| fi |