chore: update dependencies #39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| # Fails a PR that introduces a dependency with a high+ advisory. | |
| # Delta-based: gates NEW risk without tripping on pre-existing debt. | |
| dependency-review: | |
| name: Dependency Review | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Dependency review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| # Scans the diff for committed secrets. TruffleHog is used instead of | |
| # gitleaks-action, which requires a paid licence for organisation accounts. | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| extra_args: --results=verified,unknown | |
| # Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently | |
| # has a pre-existing dev-only high advisory (vite/esbuild dev server). | |
| # Flip `continue-on-error` off once the tree is clean. | |
| npm-audit: | |
| name: npm audit (advisory) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Audit | |
| run: npm audit --audit-level=high | |
| continue-on-error: true |