diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..7b00737 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,38 @@ +name: CodeQL + +on: + schedule: + - cron: '0 6 * * *' + workflow_dispatch: + +permissions: + actions: read + checks: write + contents: read + security-events: write + +jobs: + analyze: + name: CodeQL Analyze + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: + - typescript + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + config-file: .github/codeql/codeql-config.yml + languages: ${{ matrix.language }} + source-root: src + + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml new file mode 100644 index 0000000..6df5511 --- /dev/null +++ b/.github/workflows/dependency-audit.yml @@ -0,0 +1,29 @@ +name: Dependency Audit + +on: + schedule: + - cron: '0 3 * * *' + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit: + name: npm audit (production, high+) + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version-file: .node-version + cache: npm + + - name: Install Dependencies + run: npm ci + + - name: npm audit (production, high+) + run: npm audit --omit=dev --audit-level=high diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml new file mode 100644 index 0000000..aaeb504 --- /dev/null +++ b/.github/workflows/licensed.yml @@ -0,0 +1,56 @@ +name: Licensed + +on: + schedule: + - cron: '0 15 * * 0,3' + workflow_dispatch: + +permissions: + contents: write + +jobs: + licensed: + name: Check Licenses + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version-file: .node-version + cache: npm + + - name: Install Dependencies + run: npm ci + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: ruby + + - uses: licensee/setup-licensed@v1.3.2 + with: + version: 4.x + github_token: ${{ secrets.GITHUB_TOKEN }} + + - if: ${{ github.event_name == 'workflow_dispatch' }} + name: Update Licenses + run: licensed cache + + - if: ${{ github.event_name == 'workflow_dispatch' }} + name: Commit Licenses + run: | + git config --local user.email "licensed-ci@users.noreply.github.com" + git config --local user.name "licensed-ci" + git add . + if git diff --staged --quiet; then + echo "No changes to commit" + else + git commit -m "Auto-update license files" + git push + fi + + - name: Check Licenses + run: licensed status diff --git a/.github/workflows/npm-ci.yml b/.github/workflows/npm-ci.yml index 90ce647..af55e61 100644 --- a/.github/workflows/npm-ci.yml +++ b/.github/workflows/npm-ci.yml @@ -7,8 +7,6 @@ on: push: branches: - main - schedule: - - cron: '31 7 * * 3' workflow_dispatch: permissions: @@ -17,7 +15,6 @@ permissions: jobs: lint: name: Format & Lint - if: github.event_name != 'schedule' runs-on: ubuntu-latest steps: - name: Checkout @@ -40,7 +37,6 @@ jobs: test: name: Tests - if: github.event_name != 'schedule' runs-on: ubuntu-latest steps: - name: Checkout @@ -60,7 +56,6 @@ jobs: bundle: name: Bundle & Check dist - if: github.event_name != 'schedule' runs-on: ubuntu-latest needs: lint steps: @@ -99,101 +94,3 @@ jobs: with: name: dist path: dist/ - - dependency-audit: - name: Dependency Audit - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version-file: .node-version - cache: npm - - - name: Install Dependencies - run: npm ci - - - name: npm audit (production, high+) - run: npm audit --omit=dev --audit-level=high - - analyze: - name: CodeQL Analyze - runs-on: ubuntu-latest - permissions: - actions: read - checks: write - contents: read - security-events: write - strategy: - fail-fast: false - matrix: - language: - - typescript - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - config-file: .github/codeql/codeql-config.yml - languages: ${{ matrix.language }} - source-root: src - - - name: Autobuild - uses: github/codeql-action/autobuild@v4 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - - licensed: - name: Check Licenses - if: github.event_name != 'schedule' - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version-file: .node-version - cache: npm - - - name: Install Dependencies - run: npm ci - - - name: Setup Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ruby - - - uses: licensee/setup-licensed@v1.3.2 - with: - version: 4.x - github_token: ${{ secrets.GITHUB_TOKEN }} - - - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Update Licenses - run: licensed cache - - - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Commit Licenses - run: | - git config --local user.email "licensed-ci@users.noreply.github.com" - git config --local user.name "licensed-ci" - git add . - if git diff --staged --quiet; then - echo "No changes to commit" - else - git commit -m "Auto-update license files" - git push - fi - - - name: Check Licenses - run: licensed status