typescript-sdk-tools/.github/workflows/reusable-audit.yml at 3d5823ab858d1dce58fa46aad3d383d585decf63 · inrupt/typescript-sdk-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Reusable Audit Workflow

on:
  workflow_call:
    secrets:
      WEBHOOK_E2E_FAILURE:
        required: true

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v6
        with:
          node-version: "22"
          registry-url: "https://registry.npmjs.org"
          cache: "npm"
      # actions/setup-node doesn't necessarily install the latest NPM CLI
      # version, and it has caused issues with signatures auditing for instance.
      - run: npm install -g npm@latest
      # Install dependencies so license-checker actually checks them:
      - run: npm ci
      # We check the dependency licenses as part of the audit job, as a
      # misconfigured or inappropriate dependency license is in the same
      # category of issues as an npm audit security failure: we consider
      # bad licenses a vulnerability.
      - run: npx license-checker --production --failOn "AGPL-1.0-only; AGPL-1.0-or-later; AGPL-3.0-only; AGPL-3.0-or-later; Beerware; CC-BY-NC-1.0; CC-BY-NC-2.0; CC-BY-NC-2.5; CC-BY-NC-3.0; CC-BY-NC-4.0; CC-BY-NC-ND-1.0; CC-BY-NC-ND-2.0; CC-BY-NC-ND-2.5; CC-BY-NC-ND-3.0; CC-BY-NC-ND-4.0; CC-BY-NC-SA-1.0; CC-BY-NC-SA-2.0; CC-BY-NC-SA-2.5; CC-BY-NC-SA-3.0; CC-BY-NC-SA-4.0; CPAL-1.0; EUPL-1.0; EUPL-1.1; EUPL-1.1;  GPL-1.0-only; GPL-1.0-or-later; GPL-2.0-only;  GPL-2.0-or-later; GPL-3.0; GPL-3.0-only; GPL-3.0-or-later; SISSL;  SISSL-1.2; WTFPL"
      # Run the audit and capture the results
      - run: npm audit --audit-level=moderate --omit=dev --json true | tee audit.json
        # Note: this name is used for matching, changing it is a breaking change.
        name: Dependency Check
      # Run the audit to check the signatures
      - run: npm audit signatures
      # Publishes a notification to a slack channel:
      - name: Send a notification that the audit has failed
        if: failure() && github.event_name == 'schedule'
        run: "curl -X POST -H Content-type: 'application/json' --data \"{\\\"text\\\":\\\"Automated npm audit --audit-level=moderate failed. View <https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID|the execution log> for more details.\\\"}\" $WEBHOOK_E2E_FAILURE"
        env:
          WEBHOOK_E2E_FAILURE: ${{ secrets.WEBHOOK_E2E_FAILURE }}