.github/workflows/snyk.yaml

name: Snyk Security Scan

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

jobs:
  snyk-security-scan:
    runs-on: ubuntu-latest
    name: Snyk Security Scan
    steps:
      - uses: actions/checkout@v4

      - name: Setup PNPM
        uses: pnpm/action-setup@v3
        with:
          version: latest

      - name: Cache PNPM dependencies
        uses: actions/cache@v4
        with:
          path: ~/.pnpm-store
          key: ${{ runner.os }}-pnpm-${{ hashFiles('pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-

      - name: Install dependencies
        run: pnpm install

      - name: Cache Snyk cache folder
        uses: actions/cache@v4
        with:
          path: ~/.cache/snyk
          key: ${{ runner.os }}-snyk-${{ hashFiles('pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-snyk-

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_SECRET }}
        with:
          args: --severity-threshold=high