refactor(cache): major caching refactor / migration -> cacheComponents #720
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Scanning | |
| # Optimizations: path-based filtering, conditional jobs, shallow clones, cancels in-progress | |
| # Uses actions/checkout@v6 (fetch-depth: 2 for PRs, 1 for others) | |
| name: Security | |
| on: | |
| # Weekly scheduled scan (Monday 3am UTC) - comprehensive analysis | |
| schedule: | |
| - cron: '0 3 * * 1' | |
| # Only on PRs (not every push) - path-based filtering | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'apps/**/*.{ts,tsx,js,jsx}' | |
| - 'packages/**/*.{ts,tsx,js,jsx}' | |
| - 'package.json' | |
| - 'pnpm-lock.yaml' | |
| - '.github/workflows/security.yml' | |
| # Manual trigger for on-demand scanning | |
| workflow_dispatch: | |
| env: | |
| PNPM_VERSION: 10.25.0 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| # Lightweight secret scanning (fast, always runs on PRs) | |
| secrets: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 3 | |
| if: github.event_name != 'schedule' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| # PRs need depth 2 for base comparison, others only need 1 | |
| fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 1 }} | |
| - name: Check for hardcoded secrets | |
| uses: trufflesecurity/trufflehog@v3.91.1 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --only-verified --exclude-paths=.github/trufflehog-exclude.txt | |
| continue-on-error: true | |
| # CodeQL (only on schedule, not blocking) | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 6 | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 # Shallow clone - CodeQL doesn't need full history | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| continue-on-error: true | |
| # Dependency review (only on PRs with dependency changes) | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 3 | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 # Shallow clone - dependency review only needs current state | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: critical | |
| vulnerability-check: true | |
| license-check: false | |
| comment-summary-in-pr: always | |
| warn-only: true |