Skip to content
Security

build(deps-dev): bump copy-webpack-plugin from 11.0.0 to 14.0.0 #270

Sign in to view logs

build(deps-dev): bump copy-webpack-plugin from 11.0.0 to 14.0.0

build(deps-dev): bump copy-webpack-plugin from 11.0.0 to 14.0.0 #270

Workflow file for this run

.github/workflows/security.yml at 9ae182d
name: Security
on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6am UTC — full scan regardless of paths
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
changes:
name: Detect Changes
runs-on: k8s-personal
timeout-minutes: 2
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect changed paths
uses: dorny/paths-filter@v3
id: filter
with:
filters: |
backend:
- 'src/backend/**'
- 'sdk/highlight-go/**'
- 'go.work'
- 'go.work.sum'
frontend:
- 'src/frontend/**'
- 'sdk/**'
- 'packages/**'
- 'yarn.lock'
- 'rrweb/**'
codeql-go:
name: CodeQL Analysis (go)
needs: changes
if: needs.changes.outputs.backend == 'true' || github.event_name == 'schedule' || github.event_name == 'push'
runs-on: k8s-personal
timeout-minutes: 15
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: go
queries: security-extended
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: 'src/backend/go.mod'
- name: Build Go
run: go build ./src/backend/...
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:go'
codeql-js:
name: CodeQL Analysis (javascript-typescript)
needs: changes
if: needs.changes.outputs.frontend == 'true' || github.event_name == 'schedule' || github.event_name == 'push'
runs-on: k8s-personal
timeout-minutes: 15
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:javascript-typescript'
dependency-audit:
name: Dependency Audit
runs-on: k8s-personal
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: lts/*
- name: NPM audit
run: yarn npm audit --all --severity moderate
continue-on-error: true
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: 'src/backend/go.mod'
- name: Go vulnerability check
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
cd src/backend && govulncheck ./...
continue-on-error: true
secret-scan:
name: Secret Scanning
runs-on: k8s-personal
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install TruffleHog
run: |
mkdir -p "$HOME/.local/bin"
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b "$HOME/.local/bin"
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
- name: TruffleHog scan
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
trufflehog git file://. --since-commit ${{ github.event.pull_request.base.sha }} --branch HEAD --only-verified --fail --no-update
elif [ "${{ github.event_name }}" = "push" ] && [ -n "${{ github.event.before }}" ] && [ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]; then
trufflehog git file://. --since-commit ${{ github.event.before }} --only-verified --fail --no-update
else
trufflehog git file://. --only-verified --fail --no-update
fi