Merge branch 'main' of https://github.com/nashtech-garage/nt-sketchbook #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'CodeQL Advanced' | |
| on: | |
| push: | |
| branches: ['main'] | |
| pull_request: | |
| branches: ['main'] | |
| schedule: | |
| - cron: '18 11 * * 3' | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
| permissions: | |
| security-events: write | |
| packages: read | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: javascript-typescript | |
| build-mode: none | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'If you are using a "manual" build mode for one or more of the' \ | |
| 'languages you are analyzing, replace this with the commands to build' \ | |
| 'your code, for example:' | |
| echo ' make bootstrap' | |
| echo ' make release' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: '/language:${{matrix.language}}' | |
| - name: Audit Dependencies (npm/yarn) | |
| if: matrix.language == 'javascript-typescript' | |
| run: | | |
| echo "Auditing dependencies for vulnerabilities..." | |
| if [ -f "package-lock.json" ]; then | |
| echo "Detected npm project. Running npm audit..." | |
| npm install --audit --prefer-offline | |
| npm audit --json > npm-audit-report.json || true | |
| cat npm-audit-report.json | |
| elif [ -f "pnpm-lock.yaml" ]; then | |
| echo "Detected pnpm project. Running pnpm audit..." | |
| npm install -g pnpm | |
| pnpm install --frozen-lockfile | |
| pnpm audit --json > pnpm-audit-report.json || true | |
| cat pnpm-audit-report.json | |
| elif [ -f "yarn.lock" ]; then | |
| echo "Detected Yarn project. Running yarn audit..." | |
| yarn install --prefer-offline | |
| yarn audit --json > yarn-audit-report.json || true | |
| cat yarn-audit-report.json | |
| else | |
| echo "No recognized lockfile found. Skipping dependency audit." | |
| exit 1 | |
| fi | |
| echo "Dependency audit completed." |