53 lines
1.9 KiB
YAML
53 lines
1.9 KiB
YAML
name: Dependency Audit
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
schedule:
|
|
- cron: "23 3 * * 1"
|
|
|
|
jobs:
|
|
dependency-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
- name: Configure SSH for release dependencies
|
|
env:
|
|
GOVOPLAN_RELEASE_SSH_KEY: ${{ secrets.GOVOPLAN_RELEASE_SSH_KEY }}
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
if [ -z "${GOVOPLAN_RELEASE_SSH_KEY:-}" ]; then
|
|
echo "GOVOPLAN_RELEASE_SSH_KEY secret is required for git+ssh release dependencies."
|
|
exit 1
|
|
fi
|
|
printf '%s\n' "$GOVOPLAN_RELEASE_SSH_KEY" > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
if ! command -v ssh-keyscan >/dev/null 2>&1; then
|
|
apt-get update
|
|
apt-get install -y openssh-client
|
|
fi
|
|
ssh-keyscan -4 -H git.add-ideas.de >> ~/.ssh/known_hosts
|
|
chmod 600 ~/.ssh/known_hosts
|
|
- name: Install backend dev audit dependencies
|
|
run: |
|
|
python -m venv .venv
|
|
.venv/bin/python -m pip install --upgrade pip
|
|
.venv/bin/python -m pip install -r requirements-release.txt
|
|
.venv/bin/python -m pip install 'pip-audit>=2.9,<3'
|
|
- name: Install WebUI release dependencies
|
|
working-directory: webui
|
|
run: |
|
|
node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync('package.json')); const rel=JSON.parse(fs.readFileSync('package.release.json')); pkg.dependencies=rel.dependencies; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');"
|
|
npm install
|
|
- name: Run dependency audits
|
|
run: bash scripts/check-dependency-audits.sh
|