bandscope/.github/workflows/security-audit.yml at develop · ContextualWisdomLab/bandscope · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
name: security-audit

on:
  pull_request:
    branches:
      - develop
      - main
  push:
    branches:
      - develop
      - main

permissions:
  contents: read

env:
  GIT_CONFIG_COUNT: "1"
  GIT_CONFIG_KEY_0: init.defaultBranch
  GIT_CONFIG_VALUE_0: develop

jobs:
  audit:
    name: security-audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 22.22.3
          cache: npm
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"
      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
        with:
          version: "0.8.6"
          enable-cache: false
      - name: Install node dependencies
        run: npm ci
      - name: Audit npm dependencies
        run: npm audit --workspaces --audit-level=high
      - name: Sync Python dependencies
        run: uv sync --project services/analysis-engine --group dev --frozen
      - name: Audit Python dependencies
        run: uv run --project services/analysis-engine --with pip-audit==2.8.0 pip-audit --local --strict
      - name: Install stable Rust toolchain
        run: rustup toolchain install stable --profile minimal
      - name: Install cargo-audit
        run: cargo +stable install cargo-audit --locked
      - name: Audit Rust dependencies
        working-directory: apps/desktop/src-tauri
        run: cargo +stable audit