chore: add github workflow security audit + fix release script

Author: nDriaDev

.github/workflows/autofix-publish.yml

@@ -0,0 +1,205 @@
+name: Dependency Audit & Publish
+
+on:
+  # schedule:
+  #   - cron: '0 23 * * *'  # every day at 23:00 UTC (01:00 IT)
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: latest
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Configure git
+        run: |
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Audit (1st pass)
+        id: audit1
+        run: |
+          if pnpm audit 2>&1 | tee audit1.log | grep -q "found [^0]"; then
+            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: No vulnerabilities found — done
+        if: steps.audit1.outputs.vulnerable == 'false'
+        run: echo "✅ No vulnerabilities. Nothing to do."
+
+      - name: Update dependencies
+        if: steps.audit1.outputs.vulnerable == 'true'
+        run: pnpm update
+
+      - name: Audit (2nd pass — after update)
+        if: steps.audit1.outputs.vulnerable == 'true'
+        id: audit2
+        run: |
+          if pnpm audit 2>&1 | tee audit2.log | grep -q "found [^0]"; then
+            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit + release after update
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'false'
+        run: |
+          git clean -fd
+          git add pnpm-lock.yaml package.json
+          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
+          git diff --staged --quiet || git commit -m "chore: update dependencies"
+          git push
+          bash scripts/release.sh patch
+
+      - name: Audit fix
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true'
+        run: |
+          pnpm audit --fix
+          pnpm install
+
+      - name: Audit (3rd pass — after audit fix)
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true'
+        id: audit3
+        run: |
+          if pnpm audit 2>&1 | tee audit3.log | grep -q "found [^0]"; then
+            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit + release after audit fix
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true' &&
+          steps.audit3.outputs.vulnerable == 'false'
+        run: |
+          git clean -fd
+          git add pnpm-lock.yaml package.json
+          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
+          git diff --staged --quiet || git commit -m "chore: update dependencies"
+          git push
+          bash scripts/release.sh patch
+
+      - name: Clean reinstall
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true' &&
+          steps.audit3.outputs.vulnerable == 'true'
+        run: |
+          rm -rf node_modules
+          [ -f pnpm-lock.yaml ] && rm pnpm-lock.yaml
+          [ -f pnpm-workspace.yaml ] && rm pnpm-workspace.yaml
+          pnpm install
+
+      - name: Audit (4th pass — after clean reinstall)
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true' &&
+          steps.audit3.outputs.vulnerable == 'true'
+        id: audit4
+        run: |
+          if pnpm audit 2>&1 | tee audit4.log | grep -q "found [^0]"; then
+            echo "vulnerable=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "vulnerable=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit + release after clean reinstall
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true' &&
+          steps.audit3.outputs.vulnerable == 'true' &&
+          steps.audit4.outputs.vulnerable == 'false'
+        run: |
+          git clean -fd
+          git add pnpm-lock.yaml package.json
+          [ -f pnpm-workspace.yaml ] && git add pnpm-workspace.yaml
+          git diff --staged --quiet || git commit -m "chore: update dependencies"
+          git push
+          bash scripts/release.sh patch
+
+      # -- Vulnerabilites not resolved: email notification ----------
+      # - name: Upload audit logs as artifact
+      #   if: >
+      #     steps.audit1.outputs.vulnerable == 'true' &&
+      #     steps.audit2.outputs.vulnerable == 'true' &&
+      #     steps.audit3.outputs.vulnerable == 'true' &&
+      #     steps.audit4.outputs.vulnerable == 'true'
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: audit-logs
+      #     path: audit*.log
+      #     retention-days: 7
+
+      # - name: Send failure email
+      #   if: >
+      #     steps.audit1.outputs.vulnerable == 'true' &&
+      #     steps.audit2.outputs.vulnerable == 'true' &&
+      #     steps.audit3.outputs.vulnerable == 'true' &&
+      #     steps.audit4.outputs.vulnerable == 'true'
+      #   uses: dawidd6/action-send-mail@v3
+      #   with:
+      #     server_address: ${{ secrets.MAIL_SERVER }}
+      #     server_port: ${{ secrets.MAIL_PORT }}
+      #     username: ${{ secrets.MAIL_USERNAME }}
+      #     password: ${{ secrets.MAIL_PASSWORD }}
+      #     subject: "⚠️ vite-plugin-monitor: vulnerabilità non risolvibili automaticamente"
+      #     to: ${{ secrets.MAIL_TO }}
+      #     from: ${{ secrets.MAIL_USERNAME }}
+      #     body: |
+      #       Il workflow di audit giornaliero ha trovato vulnerabilità che non è riuscito
+      #       a risolvere automaticamente dopo tutti i tentativi (update, audit --fix, clean reinstall).
+
+      #       Repo:    ${{ github.repository }}
+      #       Branch:  ${{ github.ref_name }}
+      #       Run:     ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+      #       I log completi sono disponibili come artefatto nella run linkata sopra.
+
+      #       Intervento manuale richiesto.
+      #     attachments: audit4.log
+
+      - name: Fail job if vulnerabilities are unresolved
+        if: >
+          steps.audit1.outputs.vulnerable == 'true' &&
+          steps.audit2.outputs.vulnerable == 'true' &&
+          steps.audit3.outputs.vulnerable == 'true' &&
+          steps.audit4.outputs.vulnerable == 'true'
+        run: |
+          echo "❌ Vulnerabilities could not be resolved automatically."
+          cat audit4.log
+          exit 1

scripts/release.sh

@@ -40,10 +40,14 @@ fi
 CURRENT_BRANCH=$(git branch --show-current)
 if [ "$CURRENT_BRANCH" != "main" ] && [ "$CURRENT_BRANCH" != "master" ]; then
     echo -e "${YELLOW}⚠️  Warning: Not on main/master branch (current: $CURRENT_BRANCH)${NC}"
-    read -p "Continue anyway? (y/N) " -n 1 -r
-    echo
-    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
-        exit 1
+    if [ "$CI" = "true" ]; then
+        echo -e "${YELLOW}CI mode: continuing without confirmation${NC}"
+    else
+        read -p "Continue anyway? (y/N) " -n 1 -r
+        echo
+        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+            exit 1
+        fi
     fi
 fi
 
@@ -121,18 +125,13 @@ echo -e "${GREEN}✅ Git tag created and pushed${NC}"
 
 # Publish to npm
 echo -e "\n${BLUE}📦 Publishing to npm...${NC}"
-echo -e "${YELLOW}⚠️  This will publish version $NEW_VERSION to npm${NC}"
-read -p "Continue with npm publish? (y/N) " -n 1 -r
-echo
 
-if [[ $REPLY =~ ^[Yy]$ ]]; then
+if [ "$CI" = "true" ]; then
+    echo -e "${YELLOW}CI mode: publishing v$NEW_VERSION via trusted publishing (no prompt)${NC}"
     pnpm publish --access public --no-git-checks || {
         echo -e "${RED}❌ npm publish failed${NC}"
-        echo -e "${YELLOW}Don't worry, the version bump and git tag are already pushed.${NC}"
-        echo -e "${YELLOW}You can manually publish later with: pnpm publish --access public${NC}"
         exit 1
     }
-
     echo -e "\n${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
     echo -e "${GREEN}🎉 Release v$NEW_VERSION completed successfully!${NC}"
     echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
@@ -143,9 +142,31 @@ if [[ $REPLY =~ ^[Yy]$ ]]; then
     echo -e "${BLUE}📦 npm: ${YELLOW}https://www.npmjs.com/package/@ndriadev/react-tools${NC}"
     echo -e "${BLUE}🏷️  Tag: ${YELLOW}https://github.com/nDriaDev/react-tools/releases/tag/v$NEW_VERSION${NC}"
 else
-    echo -e "\n${YELLOW}⚠️  Skipped npm publish${NC}"
-    echo -e "${BLUE}Version bump and git tag have been pushed to remote.${NC}"
-    echo -e "${BLUE}To publish manually later, run: ${YELLOW}pnpm publish --access public${NC}"
+    echo -e "${YELLOW}⚠️  This will publish version $NEW_VERSION to npm${NC}"
+    read -p "Continue with npm publish? (y/N) " -n 1 -r
+    echo
+
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        pnpm publish --access public --no-git-checks || {
+            echo -e "${RED}❌ npm publish failed${NC}"
+            echo -e "${YELLOW}Don't worry, the version bump and git tag are already pushed.${NC}"
+            echo -e "${YELLOW}You can manually publish later with: pnpm publish --access public${NC}"
+            exit 1
+        }
+        echo -e "\n${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+        echo -e "${GREEN}🎉 Release v$NEW_VERSION completed successfully!${NC}"
+        echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+        echo -e "${GREEN}✅ Package published to npm${NC}"
+        echo -e "${GREEN}✅ Git tag pushed to remote${NC}"
+        echo -e "${GREEN}✅ Changelog updated${NC}"
+        echo -e ""
+        echo -e "${BLUE}📦 npm: ${YELLOW}https://www.npmjs.com/package/@ndriadev/react-tools${NC}"
+        echo -e "${BLUE}🏷️  Tag: ${YELLOW}https://github.com/nDriaDev/react-tools/releases/tag/v$NEW_VERSION${NC}"
+    else
+        echo -e "\n${YELLOW}⚠️  Skipped npm publish${NC}"
+        echo -e "${BLUE}Version bump and git tag have been pushed to remote.${NC}"
+        echo -e "${BLUE}To publish manually later, run: ${YELLOW}pnpm publish --access public${NC}"
+    fi
 fi
 
 echo ""