From e1aa55f34fcb217e9cfb6a3ab706d9a90f41d3d0 Mon Sep 17 00:00:00 2001 From: khoinashtech Date: Thu, 2 Jan 2025 15:36:13 +0700 Subject: [PATCH] fix(securirty): fix security --- .github/workflows/check-vulnerabilities.yml | 42 +++++++++++++++++++++ .github/workflows/codeql.yml | 1 - .github/workflows/publish-nt-css.yml | 3 +- .github/workflows/snyk.yml | 36 +++++++++--------- apps/nt-stylesheet/package.json | 4 +- apps/nt-stylesheet/pnpm-lock.yaml | 6 +-- 6 files changed, 66 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/check-vulnerabilities.yml diff --git a/.github/workflows/check-vulnerabilities.yml b/.github/workflows/check-vulnerabilities.yml new file mode 100644 index 0000000..dfebe2e --- /dev/null +++ b/.github/workflows/check-vulnerabilities.yml @@ -0,0 +1,42 @@ +name: 'Package Audit and Comment on Vulnerabilities' + +on: + pull_request: + branches: + - main + paths: + - '**/package.json' + - '**/pnpm-lock.yaml' + +jobs: + audit: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install dependencies + run: pnpm install + + - name: Run pnpm audit + id: audit + run: | + result=$(pnpm audit --json) + echo "Audit result: $result" + echo "$result" > audit-result.json + if echo "$result" | grep -q '"advisory"'; then + echo "Vulnerabilities found!" + exit 1 + else + echo "No vulnerabilities found." + fi + + - name: Post comment on PR if vulnerabilities found + if: failure() + uses: peter-evans/create-or-update-comment@v2 + with: + issue-number: ${{ github.event.pull_request.number }} + body: | + 🚨 **Vulnerabilities Found** 🚨 + There are vulnerabilities detected during the `pnpm audit`. Please check the audit results. + You can run `pnpm audit` locally to view more details. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b3cff1a..20ada8c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,4 +50,3 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: '/language:${{matrix.language}}' - diff --git a/.github/workflows/publish-nt-css.yml b/.github/workflows/publish-nt-css.yml index 17e6bcf..3e3296c 100644 --- a/.github/workflows/publish-nt-css.yml +++ b/.github/workflows/publish-nt-css.yml @@ -2,8 +2,7 @@ name: 'Publish NT CSS Framework' on: release: - branches: - - main + types: [created] jobs: build-and-publish: diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index f7b1f5f..6e09516 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -1,22 +1,22 @@ name: Snyk Security Check on: - push: - pull_request: + push: + pull_request: jobs: - security: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - node-version: '20' - - name: Install pnpm - run: npm install -g pnpm - - name: Install dependencies with pnpm - run: pnpm install --no-frozen-lockfile - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/node@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Node.js + uses: actions/setup-node@v3 + with: + node-version: '20' + - name: Install pnpm + run: npm install -g pnpm + - name: Install dependencies with pnpm + run: pnpm install --no-frozen-lockfile + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/apps/nt-stylesheet/package.json b/apps/nt-stylesheet/package.json index 06b6da0..e1ce4f9 100644 --- a/apps/nt-stylesheet/package.json +++ b/apps/nt-stylesheet/package.json @@ -39,6 +39,7 @@ "nx": "^20.2.2", "typescript": "^5.7.2", "vite": "^5.4.11", + "vite-plugin-dts": "^4.4.0", "vite-plugin-sass-dts": "^1.3.29", "vitest": "2.0.0" }, @@ -48,8 +49,7 @@ "postcss": "^8.4.49", "postcss-import": "^16.1.0", "postcss-nesting": "^13.0.1", - "tailwindcss": "^3.4.16", - "vite-plugin-dts": "^4.4.0" + "tailwindcss": "^3.4.16" }, "publishConfig": { "access": "public" diff --git a/apps/nt-stylesheet/pnpm-lock.yaml b/apps/nt-stylesheet/pnpm-lock.yaml index 435ed26..10f808b 100644 --- a/apps/nt-stylesheet/pnpm-lock.yaml +++ b/apps/nt-stylesheet/pnpm-lock.yaml @@ -26,9 +26,6 @@ importers: tailwindcss: specifier: ^3.4.16 version: 3.4.17(ts-node@10.9.1(@types/node@20.4.9)(typescript@5.7.2)) - vite-plugin-dts: - specifier: ^4.4.0 - version: 4.4.0(@types/node@20.4.9)(rollup@4.29.1)(typescript@5.7.2)(vite@5.4.11(@types/node@20.4.9)(sass-embedded@1.83.0)) devDependencies: '@types/node': specifier: 20.4.9 @@ -42,6 +39,9 @@ importers: vite: specifier: ^5.4.11 version: 5.4.11(@types/node@20.4.9)(sass-embedded@1.83.0) + vite-plugin-dts: + specifier: ^4.4.0 + version: 4.4.0(@types/node@20.4.9)(rollup@4.29.1)(typescript@5.7.2)(vite@5.4.11(@types/node@20.4.9)(sass-embedded@1.83.0)) vite-plugin-sass-dts: specifier: ^1.3.29 version: 1.3.30(postcss@8.4.49)(prettier@3.4.2)(sass-embedded@1.83.0)(vite@5.4.11(@types/node@20.4.9)(sass-embedded@1.83.0))