Skip to content

Scrub GitHub auth before runner jobs (#142) #99

Scrub GitHub auth before runner jobs (#142)

Scrub GitHub auth before runner jobs (#142) #99

Workflow file for this run

name: Security
on:
pull_request:
push:
branches:
- main
schedule:
- cron: "22 4 * * *"
workflow_dispatch:
permissions:
contents: read
actions: read
pull-requests: read
security-events: write
env:
OSV_SCANNER_VERSION: v2.3.8
jobs:
codeql:
name: codeql
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v7
- uses: github/codeql-action/init@v4
with:
languages: javascript-typescript,python
- uses: github/codeql-action/analyze@v4
dependency_review:
name: dependency-review
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v7
- uses: actions/dependency-review-action@v5
continue-on-error: true
with:
fail-on-severity: high
osv:
name: osv
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v7
- name: Install OSV Scanner
run: |
set -euo pipefail
case "$(uname -m)" in
x86_64) osv_arch="amd64" ;;
aarch64|arm64) osv_arch="arm64" ;;
*)
echo "Unsupported OSV Scanner architecture: $(uname -m)" >&2
exit 1
;;
esac
osv_asset="osv-scanner_linux_${osv_arch}"
curl -fsSLO "https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/${osv_asset}"
curl -fsSLO "https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_SHA256SUMS"
grep " ${osv_asset}$" osv-scanner_SHA256SUMS | sha256sum -c -
chmod +x "${osv_asset}"
mkdir -p "${RUNNER_TEMP}/osv-scanner"
mv "${osv_asset}" "${RUNNER_TEMP}/osv-scanner/osv-scanner"
echo "${RUNNER_TEMP}/osv-scanner" >> "${GITHUB_PATH}"
- name: Run OSV Scanner
continue-on-error: true
run: osv-scanner scan -L pnpm-lock.yaml --format=sarif > osv-results.sarif
- name: Require OSV SARIF output
if: always()
run: test -s osv-results.sarif
- uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: osv-results.sarif