refactor: clean up code formatting and remove commented-out sections … #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| schedule: | |
| # Run security audit every Monday at 9 AM UTC | |
| - cron: '0 9 * * 1' | |
| push: | |
| branches: [ master, main ] | |
| pull_request: | |
| branches: [ master, main ] | |
| workflow_dispatch: # Allow manual triggering | |
| jobs: | |
| security-audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Run Yarn Audit | |
| id: yarn-audit | |
| run: | | |
| echo "Running yarn audit..." | |
| if yarn audit --level moderate --json > audit-results.json 2>&1; then | |
| echo "audit-status=success" >> $GITHUB_OUTPUT | |
| echo "No vulnerabilities found above moderate level" | |
| else | |
| echo "audit-status=failed" >> $GITHUB_OUTPUT | |
| echo "Vulnerabilities found:" | |
| cat audit-results.json | |
| fi | |
| continue-on-error: true | |
| - name: Parse audit results | |
| if: steps.yarn-audit.outputs.audit-status == 'failed' | |
| run: | | |
| echo "## Security Audit Results" >> $GITHUB_STEP_SUMMARY | |
| echo "⚠️ **Vulnerabilities detected in dependencies**" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Please run the following commands to address vulnerabilities:" >> $GITHUB_STEP_SUMMARY | |
| echo '```bash' >> $GITHUB_STEP_SUMMARY | |
| echo "yarn audit --level moderate" >> $GITHUB_STEP_SUMMARY | |
| echo "yarn audit fix" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| - name: Upload audit results | |
| if: steps.yarn-audit.outputs.audit-status == 'failed' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-audit-results | |
| path: audit-results.json | |
| retention-days: 30 | |
| - name: Comment on PR | |
| if: github.event_name == 'pull_request' && steps.yarn-audit.outputs.audit-status == 'failed' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: '⚠️ **Security vulnerabilities detected**\n\nPlease run `yarn audit` and `yarn audit fix` to address security issues before merging.' | |
| }) | |
| dependency-review: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate | |
| allow-dependencies-licenses: MIT, ISC, Apache-2.0, BSD-2-Clause, BSD-3-Clause |