next-pms/.github/workflows/vulnerable_dependency_check.yml at main · rtCamp/next-pms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Vulnerable Dependency Check

on:
  pull_request:
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  deps-vulnerable-check:
    name: Vulnerable Dependency Check
    runs-on: ubuntu-latest
    container:
      image: python:latest
    defaults:
      run:
        shell: bash
    steps:
      - uses: actions/checkout@v6

      # Check for file changes based on path
      - name: Check if frontend changed
        id: changed-frontend
        run: |
          if git --no-pager diff --name-only HEAD^ HEAD | grep '^frontend/'; then
            echo "frontend_changed=true" >> $GITHUB_OUTPUT
          else
            echo "frontend_changed=false" >> $GITHUB_OUTPUT
          fi

      # Python dependencies vulnerability check
      - name: Install and run pip-audit
        if: steps.changed-frontend.outputs.frontend_changed == 'false'
        run: |
          pip install pip-audit
          cd ${GITHUB_WORKSPACE}
          pip-audit --desc on .

      # npm dependencies vulnerability check
      - name: Install Node
        if: steps.changed-frontend.outputs.frontend_changed == 'true'
        uses: actions/setup-node@v6
        with:
          node-version: lts/*
      - name: Run npm audit
        if: steps.changed-frontend.outputs.frontend_changed == 'true'
        run: |
          cd ${GITHUB_WORKSPACE}/frontend
          npm install
          npm audit