Dependency Audits #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Audits | |
| on: | |
| workflow_call: | |
| schedule: | |
| # Fire every Monday at 04:00 UTC | |
| - cron: "0 4 * * 1" | |
| workflow_dispatch: | |
| # Trigger on pushes to any branch except main, because main pushes already trigger | |
| # the Publish Images workflow, which we monitor via the workflow_call event above. | |
| push: | |
| branches-ignore: | |
| - main | |
| pull_request: | |
| # Don't grant any access by default | |
| permissions: {} | |
| jobs: | |
| audit: | |
| name: Dependency Audits | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}-${{ github.event_name }}-audit-${{ matrix.package-ecosystems.target }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| issues: write | |
| strategy: | |
| fail-fast: false | |
| # Run on the standard image only, assuming that it contains all the packages of the slim version | |
| matrix: | |
| package-ecosystems: | |
| - name: composer | |
| target: composer-audit | |
| - name: npm | |
| target: npm-audit | |
| - name: pip | |
| target: pip-audit | |
| - name: trivy | |
| target: trivy | |
| timeout-minutes: 120 | |
| env: | |
| CONTAINER_IMAGE_TARGET: standard | |
| STAGES_BUILD_CACHE_CONTAINER_IMAGE_ID: "ghcr.io/super-linter/super-linter:latest" | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Run Audits (${{ matrix.package-ecosystems.name }}) | |
| run: make ${{ matrix.package-ecosystems.target }} |