chore(deps-dev): bump tsx from 4.22.0 to 4.22.1 in the development-dependencies group #154
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Knip — Unused Code Detection | |
| # Dedicated workflow that runs Knip on every PR and on pushes to main to | |
| # detect unused exports, dependencies, files, and configuration drift in | |
| # the repository's TypeScript surface (src, tests, scripts). | |
| # | |
| # Quality gate: zero unused exports / dependencies — failures block merge. | |
| # ISMS Compliance: ISO 27001 A.8.28 (Secure Coding), A.8.31 (Separation | |
| # of Development/Test/Production), CIS Controls v8.1 16.6. | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| workflow_dispatch: | |
| # Set default permissions to read-only | |
| permissions: read-all | |
| # Resilience against transient npm registry / mirror failures. | |
| env: | |
| NPM_CONFIG_FETCH_RETRIES: "5" | |
| NPM_CONFIG_FETCH_RETRY_MINTIMEOUT: "20000" | |
| NPM_CONFIG_FETCH_RETRY_MAXTIMEOUT: "120000" | |
| NPM_CONFIG_FETCH_TIMEOUT: "300000" | |
| # Cancel any in-progress run for the same ref to save CI minutes | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| knip: | |
| name: Knip (Unused Code) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read # Required to check out code | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "26" | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Knip (unused code, exports, dependencies) | |
| run: npm run knip | |
| - name: Knip summary | |
| if: always() | |
| run: | | |
| echo "## Knip Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ job.status }}" = "success" ]; then | |
| echo "✅ No unused exports, files, or dependencies detected." >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Knip found unused code. See logs above for details." >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Triage options for each finding:**" >> $GITHUB_STEP_SUMMARY | |
| echo "1. **Integrate** — code is intended but not yet wired up; complete integration." >> $GITHUB_STEP_SUMMARY | |
| echo "2. **Whitelist** — code is used by tooling Knip cannot detect; update \`knip.json\`." >> $GITHUB_STEP_SUMMARY | |
| echo "3. **Delete** — code is genuinely dead; remove it." >> $GITHUB_STEP_SUMMARY | |
| fi |