chrome-tab-modifier/.github/workflows/ci.yml at 7bd01d95af30017b7f7498dea1d29464cf8def82 · furybee/chrome-tab-modifier · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: CI

permissions:
  contents: read
  security-events: write

on:
  push:
    branches:
      - '**'

jobs:
  test:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [20.x]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}

      - name: Install dependencies
        run: yarn install

      - name: 'Test'
        run: npx vitest --coverage.enabled true

      - name: 'Report Coverage'
        # Set if: always() to also generate the report if tests are failing
        # Only works if you set `reportOnFailure: true` in your vite config as specified above
        if: always()
        uses: davelosert/vitest-coverage-report-action@v2

  semgrep_scan:
    name: semgrep/ci
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep
    # Skip any PR created by dependabot to avoid permission issues:
    if: (github.actor != 'dependabot[bot]')
    permissions:
      security-events: write
      actions: read
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Perform Semgrep Analysis (fails on findings)
        run: semgrep scan -q --error --config auto --sarif -o semgrep-results.sarif .

      - name: Save SARIF results as artifact
        uses: actions/upload-artifact@v4
        with:
          name: semgrep-scan-results
          path: semgrep-results.sarif

      - name: Upload SARIF result to the GitHub Security Dashboard
        if: always() && hashFiles('semgrep-results.sarif') != ''
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep-results.sarif

  gitleaks_scan:
    name: Gitleaks Secret Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Gitleaks (fail on leaks)
        uses: docker://gitleaks/gitleaks:latest
        with:
          args: detect --source . --no-git --redact --report-format sarif --report-path gitleaks.sarif --exit-code 1

      - name: Upload Gitleaks SARIF as artifact
        if: always() && hashFiles('gitleaks.sarif') != ''
        uses: actions/upload-artifact@v4
        with:
          name: gitleaks-scan-results
          path: gitleaks.sarif

      - name: Upload Gitleaks SARIF to Code Scanning
        if: always() && hashFiles('gitleaks.sarif') != ''
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: gitleaks.sarif

  dependency_audit:
    name: Dependency Vulnerability Audit
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [20.x]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}

      - name: Install dependencies
        run: yarn install --frozen-lockfile

      - name: Audit dependencies (high severity and above)
        run: npx --yes audit-ci --package-manager yarn --severity high

  codeql_sast:
    name: CodeQL SAST
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
          queries: security-extended,security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis (generate SARIF)
        uses: github/codeql-action/analyze@v3
        with:
          output: codeql-results
          upload: true
          wait-for-processing: true

      - name: Upload CodeQL SARIF as artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: codeql-scan-results
          path: codeql-results/*.sarif

      - name: Fail if CodeQL alerts found
        run: |
          set -euo pipefail
          files=(codeql-results/*.sarif)
          if [ ${#files[@]} -eq 0 ]; then
            echo "No SARIF files found in codeql-results; skipping fail check."
            exit 0
          fi
          total=$(jq '[.runs[].results | length] | add // 0' ${files[@]})
          echo "CodeQL alerts: $total"
          if [ "$total" -gt 0 ]; then
            echo "Failing due to CodeQL alerts."
            exit 1
          fi