ci: bump github/codeql-action from 4.35.1 to 4.35.3 #399
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Supply Chain Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "30 3 * * 1" # Weekly Monday 03:30 UTC | |
| permissions: {} | |
| jobs: | |
| # Block PRs that introduce known-vulnerable or malicious dependencies | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Dependency review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: always | |
| # Verify deno.lock has not been tampered with | |
| lockfile-integrity: | |
| name: Lockfile Integrity | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Deno | |
| uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 | |
| with: | |
| deno-version: v2.x | |
| - name: Verify lockfile is committed | |
| run: | | |
| if [ ! -f deno.lock ]; then | |
| echo "::error::deno.lock is missing — commit it to enforce dependency integrity" | |
| exit 1 | |
| fi | |
| - name: Verify lockfile is up-to-date (frozen install) | |
| run: deno install --frozen | |
| # OpenSSF Scorecard — measures repo security posture | |
| scorecard: | |
| name: OpenSSF Scorecard | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' && !github.event.repository.private | |
| permissions: | |
| contents: read | |
| security-events: write # Upload SARIF | |
| id-token: write # Sigstore signing for publish_results | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Scorecard | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 | |
| with: | |
| sarif_file: results.sarif |