fix: v3 grading for front-only uploads, resilient detection #55

Workflow file for this run

	name: CI
	on:
	push:
	branches: [main, dev]
	pull_request:
	branches: [main]

	permissions:
	contents: read
	security-events: write

	jobs:
	unit:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- uses: actions/setup-node@v5
	with:
	node-version: 24
	- run: npm install
	- run: node test/unit-test.js

	smoke:
	continue-on-error: true
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- uses: actions/setup-node@v5
	with:
	node-version: 24
	- run: npm install
	- name: Get Playwright version
	id: pw-version
	run: echo "version=$(npx playwright --version \| awk '{print $2}')" >> $GITHUB_OUTPUT
	- name: Cache Playwright browsers
	uses: actions/cache@v5
	id: pw-cache
	with:
	path: ~/.cache/ms-playwright
	key: playwright-${{ runner.os }}-${{ steps.pw-version.outputs.version }}
	- name: Install Playwright browsers
	if: steps.pw-cache.outputs.cache-hit != 'true'
	run: npx playwright install chromium --with-deps
	- name: Install Playwright deps only
	if: steps.pw-cache.outputs.cache-hit == 'true'
	run: npx playwright install-deps chromium
	- run: node test/smoke-test.js

	codeql:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- uses: github/codeql-action/init@v4
	with:
	languages: javascript-typescript
	- uses: github/codeql-action/analyze@v4

	scan:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6

	- name: Generate SBOM (Syft)
	uses: anchore/sbom-action@v0
	with:
	path: .
	format: spdx-json
	output-file: sbom.spdx.json

	- name: Vulnerability scan (Grype)
	uses: anchore/scan-action@v7
	id: grype
	with:
	sbom: sbom.spdx.json
	fail-build: false
	severity-cutoff: critical
	add-cpes-if-none: true

	- name: Upload SBOM
	uses: actions/upload-artifact@v7
	with:
	name: sbom-${{ github.sha }}
	path: sbom.spdx.json
	retention-days: 90

	- name: Upload Grype report
	if: always() && steps.grype.outputs.sarif != ''
	uses: actions/upload-artifact@v7
	with:
	name: grype-sarif-${{ github.sha }}
	path: ${{ steps.grype.outputs.sarif }}
	retention-days: 90

	audit:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	- uses: actions/setup-node@v5
	with:
	node-version: 24
	- run: npm install
	- name: npm audit (high + critical)
	run: npm audit --audit-level=high \|\| true
	- name: Lockfile lint
	run: npx lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https

	secrets:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6
	with:
	fetch-depth: 0
	- uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: v3 grading for front-only uploads, resilient detection #55

Workflow file

fix: v3 grading for front-only uploads, resilient detection #55

Uh oh!

Workflow file for this run