93 lines
2.8 KiB
YAML
93 lines
2.8 KiB
YAML
name: Audit Typescript SDK
|
|
|
|
on:
|
|
push:
|
|
branches: [master, next]
|
|
paths:
|
|
- 'ts/**'
|
|
- '.github/actions/setup-node-pnpm-bun/action.yml'
|
|
- '.github/workflows/ts.audit.yml'
|
|
- 'mise.toml'
|
|
- 'mise.lock'
|
|
- 'package.json'
|
|
- 'pnpm-lock.yaml'
|
|
- 'pnpm-workspace.yaml'
|
|
pull_request:
|
|
branches: [master, next]
|
|
paths:
|
|
- 'ts/**'
|
|
- '.github/actions/setup-node-pnpm-bun/action.yml'
|
|
- '.github/workflows/ts.audit.yml'
|
|
- 'mise.toml'
|
|
- 'mise.lock'
|
|
- 'package.json'
|
|
- 'pnpm-lock.yaml'
|
|
- 'pnpm-workspace.yaml'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
audit:
|
|
name: Audit
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
- name: Setup Node.js, pnpm, Bun
|
|
uses: ./.github/actions/setup-node-pnpm-bun
|
|
with:
|
|
enable-caching: 'false'
|
|
|
|
- name: Verify mise.lock is fresh
|
|
run: |
|
|
mise lock --platform linux-x64,linux-arm64,macos-arm64,macos-x64
|
|
git diff --exit-code mise.lock
|
|
|
|
- name: Run pnpm audit (production dependencies only)
|
|
id: audit
|
|
continue-on-error: true
|
|
run: pnpm audit --prod > audit-output.txt 2>&1
|
|
|
|
- name: Comment on PR if audit failed
|
|
if: steps.audit.outcome == 'failure' && github.event_name == 'pull_request'
|
|
run: |
|
|
{
|
|
echo "⚠️ **Security Audit Warning**"
|
|
echo ""
|
|
echo "The \`pnpm audit --prod\` check found security vulnerabilities in production dependencies."
|
|
echo ""
|
|
echo "Please review and fix the vulnerabilities. You can try running:"
|
|
echo "\`\`\`bash"
|
|
echo "pnpm audit --fix --prod"
|
|
echo "\`\`\`"
|
|
echo ""
|
|
echo "<details>"
|
|
echo "<summary>Audit output</summary>"
|
|
echo ""
|
|
echo "\`\`\`"
|
|
cat audit-output.txt
|
|
echo "\`\`\`"
|
|
echo ""
|
|
echo "</details>"
|
|
} > audit-comment.txt
|
|
|
|
- name: Post audit comment to PR
|
|
if: steps.audit.outcome == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
|
|
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
|
|
with:
|
|
file-path: audit-comment.txt
|
|
comment-tag: pnpm-audit-security-warning
|
|
|
|
- name: Fail on high/critical advisories
|
|
run: pnpm audit --prod --audit-level=high
|