name: Promptfoo Code Scan on: pull_request: types: [opened, ready_for_review] workflow_dispatch: inputs: pr_number: description: 'PR number to scan' required: true permissions: contents: read jobs: security-scan: runs-on: ubuntu-latest timeout-minutes: 15 env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true PROMPTFOO_DISABLE_UPDATE: true permissions: contents: read pull-requests: write id-token: write steps: - name: Checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 # Pin to 24.15.0 (not .nvmrc): Node 24.16.0 adds ~10s to every HTTPS # request on Linux runners, dragging the scanner's uncached # `npm install -g promptfoo` (~860 packages) into a 14-minute crawl that # trips the job timeout. 24.17.0 still has the regression (PR #9859 # re-bumped it and every scan started timing out), so renovate.json # disables Node updates for this file. Revisit — and re-enable that # rule — when a newer Node resolves it. - name: Use Node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.15.0' - name: Run Promptfoo Code Scan uses: promptfoo/code-scan-action@c4839dcb8623ca031ee6d271c7850dc71d994dd3 # v0 env: # Keep the global CLI install on the first promptfoo release that retries # transient repository MCP timeouts, while avoiding future dependency drift. NPM_CONFIG_BEFORE: '2026-04-11T00:40:00.000Z' # Avoid combining the workflow's before pin with this repo's project .npmrc # min-release-age setting without changing nested npx package layout. NPM_CONFIG_USERCONFIG: '/dev/null' with: min-severity: medium config-path: .github/promptfoo-code-scan.yaml enable-fork-prs: true