chore(deps): bump the actions group across 1 directory with 3 updates #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| workflow_call: | |
| inputs: | |
| upload-artifact: | |
| description: Upload the betterleaks SARIF report as a workflow artifact. | |
| type: boolean | |
| required: false | |
| default: false | |
| push: | |
| branches: [main] | |
| pull_request: | |
| paths: ["src/**", "package.json", "pnpm-lock.yaml", ".github/workflows/**"] | |
| schedule: | |
| - cron: "37 4 * * 2" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| audit: | |
| name: Dependency audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 | |
| with: | |
| package_json_file: "package.json" | |
| - name: Create temporary package-lock for npm audit | |
| run: npm install --package-lock-only --ignore-scripts --no-audit --no-fund | |
| - name: Audit production dependencies | |
| run: npm audit --omit=dev --audit-level=high | |
| secrets: | |
| name: Secret scan (betterleaks) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install betterleaks | |
| run: | | |
| BETTERLEAKS_VERSION=1.5.0 | |
| curl -sSfL "https://github.com/betterleaks/betterleaks/releases/download/v${BETTERLEAKS_VERSION}/betterleaks_${BETTERLEAKS_VERSION}_linux_x64.tar.gz" -o betterleaks.tar.gz | |
| tar -xzf betterleaks.tar.gz betterleaks | |
| sudo install -m 0755 betterleaks /usr/local/bin/betterleaks | |
| - name: Run betterleaks | |
| run: betterleaks dir . --no-banner --redact --exit-code=2 --report-path betterleaks.sarif --report-format sarif | |
| - name: Upload betterleaks SARIF | |
| if: always() && inputs.upload-artifact | |
| uses: github/codeql-action/upload-sarif@c35d1b164463ee62a100735382aaaa525c5d3496 # codeql-bundle-v2.25.6 | |
| with: | |
| sarif_file: betterleaks.sarif | |
| shellcheck: | |
| name: ShellCheck | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Run ShellCheck when shell scripts are present | |
| run: | | |
| mapfile -t scripts < <(find . -type f -name '*.sh' \ | |
| -not -path './node_modules/*' \ | |
| -not -path './.git/*' \ | |
| -not -path './dist/*') | |
| if [ "${#scripts[@]}" -eq 0 ]; then | |
| echo "No shell scripts found; skipping." | |
| else | |
| shellcheck "${scripts[@]}" | |
| fi | |
| workflow-lint: | |
| name: Workflow lint (actionlint + zizmor) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2 | |
| - name: Install zizmor | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh release download --repo zizmorcore/zizmor \ | |
| --pattern 'zizmor-x86_64-unknown-linux-gnu.tar.gz' \ | |
| --output /tmp/zizmor.tar.gz | |
| tar xzf /tmp/zizmor.tar.gz -C /usr/local/bin zizmor | |
| chmod +x /usr/local/bin/zizmor | |
| - name: Run zizmor | |
| run: | | |
| zizmor --color always \ | |
| --persona auditor \ | |
| --min-severity high \ | |
| --min-confidence medium \ | |
| .github/workflows/ |