Skip to content

chore(deps): bump the actions group across 1 directory with 3 updates #20

chore(deps): bump the actions group across 1 directory with 3 updates

chore(deps): bump the actions group across 1 directory with 3 updates #20

Workflow file for this run

name: Security
on:
workflow_call:
inputs:
upload-artifact:
description: Upload the betterleaks SARIF report as a workflow artifact.
type: boolean
required: false
default: false
push:
branches: [main]
pull_request:
paths: ["src/**", "package.json", "pnpm-lock.yaml", ".github/workflows/**"]
schedule:
- cron: "37 4 * * 2"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
audit:
name: Dependency audit
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup pnpm
uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
with:
package_json_file: "package.json"
- name: Create temporary package-lock for npm audit
run: npm install --package-lock-only --ignore-scripts --no-audit --no-fund
- name: Audit production dependencies
run: npm audit --omit=dev --audit-level=high
secrets:
name: Secret scan (betterleaks)
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Install betterleaks
run: |
BETTERLEAKS_VERSION=1.5.0
curl -sSfL "https://github.com/betterleaks/betterleaks/releases/download/v${BETTERLEAKS_VERSION}/betterleaks_${BETTERLEAKS_VERSION}_linux_x64.tar.gz" -o betterleaks.tar.gz
tar -xzf betterleaks.tar.gz betterleaks
sudo install -m 0755 betterleaks /usr/local/bin/betterleaks
- name: Run betterleaks
run: betterleaks dir . --no-banner --redact --exit-code=2 --report-path betterleaks.sarif --report-format sarif
- name: Upload betterleaks SARIF
if: always() && inputs.upload-artifact
uses: github/codeql-action/upload-sarif@c35d1b164463ee62a100735382aaaa525c5d3496 # codeql-bundle-v2.25.6
with:
sarif_file: betterleaks.sarif
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run ShellCheck when shell scripts are present
run: |
mapfile -t scripts < <(find . -type f -name '*.sh' \
-not -path './node_modules/*' \
-not -path './.git/*' \
-not -path './dist/*')
if [ "${#scripts[@]}" -eq 0 ]; then
echo "No shell scripts found; skipping."
else
shellcheck "${scripts[@]}"
fi
workflow-lint:
name: Workflow lint (actionlint + zizmor)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2
- name: Install zizmor
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release download --repo zizmorcore/zizmor \
--pattern 'zizmor-x86_64-unknown-linux-gnu.tar.gz' \
--output /tmp/zizmor.tar.gz
tar xzf /tmp/zizmor.tar.gz -C /usr/local/bin zizmor
chmod +x /usr/local/bin/zizmor
- name: Run zizmor
run: |
zizmor --color always \
--persona auditor \
--min-severity high \
--min-confidence medium \
.github/workflows/