This repository has been archived by the owner on Aug 5, 2024. It is now read-only.
chore(deps): bump github/codeql-action from 3.24.9 to 3.25.9 #1220
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| code-review: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| - name: Code Review | |
| uses: step-security/ai-codewise@e352b2a5372e83d61ad449550deb2f3c61089e09 # v1.0.0 | |
| lint: | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| runs-on: ubuntu-latest | |
| needs: dependency-scan | |
| strategy: | |
| max-parallel: 4 | |
| matrix: | |
| node-version: [18.x, 20.x] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| registry.npmjs.org:443 | |
| - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v2 | |
| - name: Use Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v2 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Set shell options | |
| run: | | |
| set -o xtrace | |
| - name: Install dependencies | |
| run: | | |
| node -v | |
| npm ci --no-optional | |
| - name: Run linter | |
| run: | | |
| npm run lint | |
| - name: Upload eslint report | |
| uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v1 | |
| with: | |
| sarif_file: results.sarif | |
| semgrep: | |
| name: semgrep | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| pull-requests: write # for semgrep to add comments in pull request | |
| runs-on: ubuntu-latest | |
| needs: dependency-scan | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| deep-semgrep-artifacts.s3.amazonaws.com:443 | |
| fail-open.prod.semgrep.dev:443 | |
| github.com:443 | |
| metrics.semgrep.dev:443 | |
| semgrep.dev:443 | |
| - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v2 | |
| - uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1 | |
| with: | |
| publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} | |
| analyze: | |
| permissions: | |
| actions: read # for github/codeql-action/init to get workflow details | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/analyze to upload SARIF results | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| needs: dependency-scan | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'javascript' ] | |
| # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] | |
| # Learn more: | |
| # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| registry.npmjs.org:443 | |
| uploads.github.com:443 | |
| objects.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v2 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@530d4feaa9c62aaab2d250371e2061eb7a172363 # v1 | |
| with: | |
| languages: ${{ matrix.language }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # By default, queries listed here will override any specified in a config file. | |
| # Prefix the list here with "+" to use these queries and those in the config file. | |
| # queries: ./path/to/local/query, your-org/your-repo/queries@main | |
| - name: Install dependencies | |
| run: | | |
| node -v | |
| npm ci --no-optional | |
| - name: Run a build | |
| run: | | |
| npm run build | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@530d4feaa9c62aaab2d250371e2061eb7a172363 # v1 | |
| dependency-scan: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| ghcr.io:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: Checkout the code | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run vulnerability scanner in repo mode | |
| if: github.actor != 'dependabot[bot]' | |
| uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: false | |
| exit-code: 1 | |
| format: 'table' | |
| vuln-type: 'library' | |
| severity: 'CRITICAL,HIGH' | |
| scanners: 'vuln,config,secret' | |
| - name: Run vulnerability scanner in repo mode | |
| if: github.actor == 'dependabot[bot]' | |
| uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: false | |
| exit-code: 1 | |
| format: 'table' | |
| vuln-type: 'library' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| scanners: 'vuln,config,secret' |