Supply Chain Security #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Supply Chain Security | |
| on: | |
| push: | |
| branches: [main, develop, workflow/*, feat/*] | |
| pull_request: | |
| branches: [main, develop, workflow/*] | |
| schedule: | |
| - cron: "0 4 * * 1" # Weekly on Monday at 4 AM UTC | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| id-token: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| env: | |
| NODE_VERSION: 20 | |
| jobs: | |
| dependency-audit: | |
| name: Dependency Audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci --prefer-offline | |
| - name: Run npm audit | |
| run: | | |
| set -e | |
| echo "Running security audit..." | |
| npm audit --audit-level=high --production | |
| echo "Security audit passed" | |
| - name: Generate audit report | |
| run: | | |
| npm audit --json > security-audit-report.json || true | |
| npm audit --audit-level=moderate --json > detailed-audit-report.json || true | |
| - name: Upload audit reports | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: security-audit-reports | |
| path: | | |
| security-audit-report.json | |
| detailed-audit-report.json | |
| retention-days: 30 | |
| license-check: | |
| name: License Compliance | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci --prefer-offline | |
| - name: Check licenses | |
| run: | | |
| npx license-checker --onlyAllow 'MIT;MIT*;MIT-0;Apache-2.0;Apache 2.0;BSD;BSD*;BSD-2-Clause;BSD-3-Clause;0BSD;ISC;GPL-2.0;GPL-3.0;LGPL-2.1;LGPL-3.0;Python-2.0;CC-BY-3.0;CC-BY-4.0;CC0-1.0;BlueOak-1.0.0;Artistic-2.0;WTFPL;AFL-2.1' | |
| - name: Generate license report | |
| run: | | |
| npx license-checker --json > license-report.json | |
| - name: Upload license report | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: license-report | |
| path: license-report.json | |
| retention-days: 30 | |
| sbom-generation: | |
| name: Generate SBOM | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| actions: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci --prefer-offline | |
| - name: Generate SPDX SBOM | |
| run: npm run sbom | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: sbom-spdx | |
| path: | | |
| sbom.spdx.json | |
| sbom.spdx.xml | |
| retention-days: 90 | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 | |
| with: | |
| fail-on-severity: high | |
| fail-on-scopes: runtime | |
| scorecard: | |
| name: OSSF Scorecard | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| persist-credentials: false | |
| - name: Run OSSF Scorecard | |
| uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 | |
| with: | |
| results_file: scorecard-results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload SARIF results | |
| uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 | |
| with: | |
| sarif_file: scorecard-results.sarif |