Skip to content
CI

wip #324

Sign in to view logs

wip

wip #324

Workflow file for this run

.github/workflows/ci.yml at 7bd01d9
name: CI
permissions:
contents: read
security-events: write
on:
push:
branches:
- '**'
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20.x]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install dependencies
run: yarn install
- name: 'Test'
run: npx vitest --coverage.enabled true
- name: 'Report Coverage'
# Set if: always() to also generate the report if tests are failing
# Only works if you set `reportOnFailure: true` in your vite config as specified above
if: always()
uses: davelosert/vitest-coverage-report-action@v2
semgrep_scan:
name: semgrep/ci
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Perform Semgrep Analysis (fails on findings)
run: semgrep scan -q --error --config auto --sarif -o semgrep-results.sarif .
- name: Save SARIF results as artifact
uses: actions/upload-artifact@v4
with:
name: semgrep-scan-results
path: semgrep-results.sarif
- name: Upload SARIF result to the GitHub Security Dashboard
if: always() && hashFiles('semgrep-results.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep-results.sarif
gitleaks_scan:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Gitleaks (fail on leaks)
uses: docker://gitleaks/gitleaks:latest
with:
args: detect --source . --no-git --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1
- name: Upload Gitleaks SARIF as artifact
if: always() && hashFiles('gitleaks.sarif') != ''
uses: actions/upload-artifact@v4
with:
name: gitleaks-scan-results
path: gitleaks.sarif
- name: Upload Gitleaks SARIF to Code Scanning
if: always() && hashFiles('gitleaks.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gitleaks.sarif
dependency_audit:
name: Dependency Vulnerability Audit
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20.x]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Audit dependencies (high severity and above)
run: npx --yes audit-ci --package-manager yarn --severity high
codeql_sast:
name: CodeQL SAST
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis (generate SARIF)
uses: github/codeql-action/analyze@v3
with:
output: codeql-results
upload: true
wait-for-processing: true
- name: Upload CodeQL SARIF as artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: codeql-scan-results
path: codeql-results/*.sarif
- name: Fail if CodeQL alerts found
run: |
set -euo pipefail
files=(codeql-results/*.sarif)
if [ ${#files[@]} -eq 0 ]; then
echo "No SARIF files found in codeql-results; skipping fail check."
exit 0
fi
total=$(jq '[.runs[].results | length] | add // 0' ${files[@]})
echo "CodeQL alerts: $total"
if [ "$total" -gt 0 ]; then
echo "Failing due to CodeQL alerts."
exit 1
fi