Security checks #1326
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security checks | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: | |
| branches: | |
| - main | |
| schedule: | |
| # Every day at midnight UTC | |
| - cron: "0 0 * * *" | |
| jobs: | |
| deps: | |
| name: Fetch deps | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Elixir | |
| id: beam | |
| uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 | |
| with: | |
| otp-version: '27.2.1' | |
| elixir-version: '1.18.2' | |
| - name: Cache Mix | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: deps | |
| key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }} | |
| restore-keys: | | |
| ${{ runner.os }}-mix- | |
| - name: Install dependencies | |
| run: mix deps.get --check-locked | |
| - name: Submit dependencies to GitHub | |
| uses: erlef/mix-dependency-submission@fa3e8f349d00a32bf14eec1c7577d6564abe08d2 # v1.3.1 | |
| audit: | |
| name: Check dependencies for vulnerabilities | |
| runs-on: ubuntu-24.04 | |
| needs: [deps] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Elixir | |
| id: beam | |
| uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 | |
| with: | |
| otp-version: '27.2.1' | |
| elixir-version: '1.18.2' | |
| - name: Cache Mix | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: deps | |
| key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }} | |
| restore-keys: | | |
| ${{ runner.os }}-mix- | |
| - name: Compile deps | |
| run: mix deps.compile | |
| - name: MixAudit check | |
| run: mix deps.audit | |
| sobelow: | |
| name: Security check | |
| runs-on: ubuntu-24.04 | |
| needs: [deps] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Elixir | |
| id: beam | |
| uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 | |
| with: | |
| otp-version: '27.2.1' | |
| elixir-version: '1.18.2' | |
| - name: Cache Mix | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: deps | |
| key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }} | |
| restore-keys: | | |
| ${{ runner.os }}-mix- | |
| - name: Compile deps | |
| run: mix deps.compile | |
| - name: Sobelow checks | |
| run: mix sobelow --config > results.sarif | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1 | |
| with: | |
| sarif_file: results.sarif | |
| category: sobelow |