name: Security on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 6 * * 1' permissions: contents: read security-events: write jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: typescript - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '18' - name: Enable Corepack run: corepack enable - name: Install dependencies run: yarn install --immutable - name: Build run: ./node_modules/.bin/subql build -f pezkuwi.yaml - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 dependency-audit: name: Dependency Audit runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '18' - name: Enable Corepack run: corepack enable - name: Install dependencies run: yarn install --immutable - name: Run npm audit run: yarn npm audit --all --recursive || true - name: Check for critical vulnerabilities run: | CRITICAL=$(yarn npm audit --all --recursive --json 2>/dev/null | jq '[.advisories // {} | to_entries[] | select(.value.severity == "critical")] | length' 2>/dev/null || echo "0") if [ "$CRITICAL" -gt 0 ]; then echo "::error::Found $CRITICAL critical vulnerabilities" exit 1 fi dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: high deny-licenses: GPL-3.0, AGPL-3.0 secret-scan: name: Secret Scan runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog Secret Scan uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.repository.default_branch }} extra_args: --only-verified