Skip to content

chore(main): release 1.4.0 #46

chore(main): release 1.4.0

chore(main): release 1.4.0 #46

Workflow file for this run

name: Security
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
jobs:
# Fails a PR that introduces a dependency with a high+ advisory.
# Delta-based: gates NEW risk without tripping on pre-existing debt.
dependency-review:
name: Dependency Review
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Dependency review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
# Scans the diff for committed secrets. TruffleHog is used instead of
# gitleaks-action, which requires a paid licence for organisation accounts.
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: TruffleHog
uses: trufflesecurity/trufflehog@main
with:
extra_args: --results=verified,unknown
# Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently
# has a pre-existing dev-only high advisory (vite/esbuild dev server).
# Flip `continue-on-error` off once the tree is clean.
npm-audit:
name: npm audit (advisory)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: 24
cache: npm
- name: Install dependencies
run: npm ci
- name: Audit
run: npm audit --audit-level=high
continue-on-error: true