chore(deps): upgrade dependencies #285
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-pr | |
| # Fast, required-on-PR security gate (issue #327). Catches the incident class | |
| # (#313: secrets reaching history because the scan only ran weekly) at PR time. | |
| # | |
| # Scope is deliberately the FAST scanners only — secrets (range-scoped), | |
| # dependencies, and workflow static-analysis — so this stays off the slow path | |
| # (<~3 min) and can be a required status check without throttling the inner loop. | |
| # The heavy image + SAST suite (trivy/grype/semgrep) runs in security.yml and is | |
| # tracked separately by #235; the full-history secret sweep also lives there. | |
| on: | |
| pull_request: {} | |
| # Must also run on merge_group so this check reports inside the merge queue; | |
| # otherwise marking it a required check deadlocks the queue. See #327. | |
| merge_group: {} | |
| workflow_dispatch: {} | |
| # Least privilege: read the code, nothing else. | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: security-pr-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| secrets-deps-actions: | |
| name: Secrets, deps, and workflow scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| permissions: | |
| contents: read | |
| env: | |
| CI: "true" | |
| MISE_EXPERIMENTAL: "1" | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| # Full history so the range scan can resolve the base ref. A shallow | |
| # clone would leave origin/<base> unresolvable for the commit-range diff. | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install mise | |
| uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0 | |
| with: | |
| cache: true | |
| - name: Resolve commit range | |
| id: range | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| MG_BASE_SHA: ${{ github.event.merge_group.base_sha }} | |
| MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }} | |
| run: | | |
| set -euo pipefail | |
| case "$EVENT_NAME" in | |
| pull_request) | |
| # Scan exactly the commits this PR introduces. | |
| echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| merge_group) | |
| # Scan only the queued merge commits — not full history. An empty | |
| # range would walk every ref and fail on secrets on other branches | |
| # (#334 merge-queue ejection). | |
| echo "range=${MG_BASE_SHA}..${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| ;; | |
| workflow_dispatch|*) | |
| # Manual dispatch: scan HEAD only (safe default, not full history). | |
| echo "range=HEAD" >> "$GITHUB_OUTPUT" | |
| ;; | |
| esac | |
| echo "Resolved GITLEAKS_RANGE='$(tail -n1 "$GITHUB_OUTPUT" | cut -d= -f2-)'" | |
| - name: Secret scan (gitleaks, range-scoped) | |
| env: | |
| GITLEAKS_RANGE: ${{ steps.range.outputs.range }} | |
| run: mise run security:secrets:range | |
| - name: Dependency scan (osv-scanner) | |
| run: mise run security:deps | |
| - name: Workflow static analysis (zizmor) | |
| run: mise run security:gh-actions |