feat: implement managed Patchloom binary install, update, and reinstall #103

Workflow file for this run

.github/workflows/security.yml at d272511

	name: security

	on:
	push:
	branches: [main]
	pull_request:
	schedule:
	- cron: "0 6 * * 1"
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: security-${{ github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

	jobs:
	npm-audit:
	name: npm audit
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
	with:
	node-version-file: .nvmrc
	cache: npm

	- name: Install dependencies
	run: npm ci

	- name: Audit production dependencies
	run: npm audit --audit-level=high --omit=dev

	trivy:
	name: Trivy vulnerability scan
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Setup Node.js
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
	with:
	node-version-file: .nvmrc
	cache: npm

	- name: Install dependencies
	run: npm ci

	- name: Install Trivy
	run: \|
	sudo apt-get install -y wget apt-transport-https gnupg
	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| gpg --dearmor \| sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
	echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \| sudo tee /etc/apt/sources.list.d/trivy.list
	sudo apt-get update && sudo apt-get install -y trivy

	- name: Run Trivy filesystem scan
	run: trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL --exit-code 1 .

	gitleaks:
	name: Gitleaks secret detection
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false
	fetch-depth: 0

	- name: Install Gitleaks
	run: \|
	GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest \| grep tag_name \| cut -d '"' -f 4 \| sed 's/v//')
	curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \| sudo tar -xz -C /usr/local/bin gitleaks

	- name: Run Gitleaks
	run: gitleaks detect --source . --verbose

	codeql:
	name: CodeQL analysis
	runs-on: ubuntu-latest
	timeout-minutes: 15
	permissions:
	security-events: write
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Initialize CodeQL
	uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
	with:
	languages: javascript-typescript,actions

	- name: Autobuild
	uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

	- name: Perform CodeQL analysis
	uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

	dependency-review:
	name: Dependency review
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Checkout
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false

	- name: Dependency review
	uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4
	with:
	fail-on-severity: high

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: implement managed Patchloom binary install, update, and reinstall #103

Workflow file

feat: implement managed Patchloom binary install, update, and reinstall #103

Uh oh!

Workflow file for this run