Security #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| workflow_dispatch: {} | |
| schedule: | |
| # Weekly: Monday 12:00 UTC | |
| - cron: "0 12 * * 1" | |
| concurrency: | |
| group: security-suite | |
| cancel-in-progress: false | |
| permissions: | |
| actions: none | |
| attestations: none | |
| checks: none | |
| contents: none | |
| deployments: none | |
| discussions: none | |
| id-token: none | |
| issues: none | |
| models: none | |
| packages: none | |
| pages: none | |
| pull-requests: none | |
| repository-projects: none | |
| security-events: none | |
| statuses: none | |
| jobs: | |
| security: | |
| name: Monorepo security suite | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 120 | |
| permissions: | |
| contents: read | |
| issues: write | |
| env: | |
| CI: "true" | |
| MISE_EXPERIMENTAL: "1" | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 | |
| with: | |
| cache: true | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22.x | |
| - name: Install dependencies | |
| run: mise run install | |
| - name: Run security suite | |
| id: scan | |
| run: mise run security 2>&1 | tee security-log.txt | |
| continue-on-error: true | |
| - name: Open issue on failure | |
| if: steps.scan.outcome == 'failure' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| short="${GITHUB_SHA:0:7}" | |
| body_file="$(mktemp)" | |
| { | |
| echo "The root \`mise run security\` suite failed in GitHub Actions. Use the log tail below and reproduce locally with the same command." | |
| echo "" | |
| echo "| Field | Value |" | |
| echo "| --- | --- |" | |
| echo "| Workflow run | [Security #${GITHUB_RUN_NUMBER}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) |" | |
| echo "| Ref | \`${GITHUB_REF}\` |" | |
| echo "| SHA | [\`${GITHUB_SHA}\`](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}) |" | |
| echo "| Actor | @${GITHUB_ACTOR} |" | |
| echo "| Event | \`${GITHUB_EVENT_NAME}\` |" | |
| echo "" | |
| echo "### Log tail (last 200 lines)" | |
| echo "" | |
| echo '```text' | |
| tail -n 200 security-log.txt || true | |
| echo '```' | |
| echo "" | |
| echo "Close this issue after \`mise run security\` succeeds on \`${GITHUB_REF_NAME}\` (or the branch you merge to)." | |
| } > "${body_file}" | |
| gh issue create \ | |
| --title "Security suite failed (${GITHUB_REF_NAME} @ ${short})" \ | |
| --body-file "${body_file}" | |
| - name: Fail job if security suite failed | |
| if: steps.scan.outcome == 'failure' | |
| run: exit 1 |