Skip to content

chore(deps): upgrade dependencies #285

chore(deps): upgrade dependencies

chore(deps): upgrade dependencies #285

Workflow file for this run

name: security-pr
# Fast, required-on-PR security gate (issue #327). Catches the incident class
# (#313: secrets reaching history because the scan only ran weekly) at PR time.
#
# Scope is deliberately the FAST scanners only — secrets (range-scoped),
# dependencies, and workflow static-analysis — so this stays off the slow path
# (<~3 min) and can be a required status check without throttling the inner loop.
# The heavy image + SAST suite (trivy/grype/semgrep) runs in security.yml and is
# tracked separately by #235; the full-history secret sweep also lives there.
on:
pull_request: {}
# Must also run on merge_group so this check reports inside the merge queue;
# otherwise marking it a required check deadlocks the queue. See #327.
merge_group: {}
workflow_dispatch: {}
# Least privilege: read the code, nothing else.
permissions:
contents: read
concurrency:
group: security-pr-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
secrets-deps-actions:
name: Secrets, deps, and workflow scan
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
env:
CI: "true"
MISE_EXPERIMENTAL: "1"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
# Full history so the range scan can resolve the base ref. A shallow
# clone would leave origin/<base> unresolvable for the commit-range diff.
fetch-depth: 0
persist-credentials: false
- name: Install mise
uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4.1.0
with:
cache: true
- name: Resolve commit range
id: range
env:
EVENT_NAME: ${{ github.event_name }}
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
run: |
set -euo pipefail
case "$EVENT_NAME" in
pull_request)
# Scan exactly the commits this PR introduces.
echo "range=${PR_BASE_SHA}..${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT"
;;
merge_group)
# Scan only the queued merge commits — not full history. An empty
# range would walk every ref and fail on secrets on other branches
# (#334 merge-queue ejection).
echo "range=${MG_BASE_SHA}..${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT"
;;
workflow_dispatch|*)
# Manual dispatch: scan HEAD only (safe default, not full history).
echo "range=HEAD" >> "$GITHUB_OUTPUT"
;;
esac
echo "Resolved GITLEAKS_RANGE='$(tail -n1 "$GITHUB_OUTPUT" | cut -d= -f2-)'"
- name: Secret scan (gitleaks, range-scoped)
env:
GITLEAKS_RANGE: ${{ steps.range.outputs.range }}
run: mise run security:secrets:range
- name: Dependency scan (osv-scanner)
run: mise run security:deps
- name: Workflow static analysis (zizmor)
run: mise run security:gh-actions