Files
2026-07-13 12:38:34 +08:00

93 lines
2.8 KiB
YAML

name: Audit Typescript SDK
on:
push:
branches: [master, next]
paths:
- 'ts/**'
- '.github/actions/setup-node-pnpm-bun/action.yml'
- '.github/workflows/ts.audit.yml'
- 'mise.toml'
- 'mise.lock'
- 'package.json'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
pull_request:
branches: [master, next]
paths:
- 'ts/**'
- '.github/actions/setup-node-pnpm-bun/action.yml'
- '.github/workflows/ts.audit.yml'
- 'mise.toml'
- 'mise.lock'
- 'package.json'
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
jobs:
audit:
name: Audit
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout Code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Node.js, pnpm, Bun
uses: ./.github/actions/setup-node-pnpm-bun
with:
enable-caching: 'false'
- name: Verify mise.lock is fresh
run: |
mise lock --platform linux-x64,linux-arm64,macos-arm64,macos-x64
git diff --exit-code mise.lock
- name: Run pnpm audit (production dependencies only)
id: audit
continue-on-error: true
run: pnpm audit --prod > audit-output.txt 2>&1
- name: Comment on PR if audit failed
if: steps.audit.outcome == 'failure' && github.event_name == 'pull_request'
run: |
{
echo "⚠️ **Security Audit Warning**"
echo ""
echo "The \`pnpm audit --prod\` check found security vulnerabilities in production dependencies."
echo ""
echo "Please review and fix the vulnerabilities. You can try running:"
echo "\`\`\`bash"
echo "pnpm audit --fix --prod"
echo "\`\`\`"
echo ""
echo "<details>"
echo "<summary>Audit output</summary>"
echo ""
echo "\`\`\`"
cat audit-output.txt
echo "\`\`\`"
echo ""
echo "</details>"
} > audit-comment.txt
- name: Post audit comment to PR
if: steps.audit.outcome == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
with:
file-path: audit-comment.txt
comment-tag: pnpm-audit-security-warning
- name: Fail on high/critical advisories
run: pnpm audit --prod --audit-level=high