ci: automate security PRs

2023-11-26 14:39:35 +00:00 · 2023-11-26 14:39:35 +00:00 · c4c1e3faa5
parent 2367f863cf
commit c4c1e3faa5
3 changed files with 49 additions and 10 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+    commit-message:
+      prefix: 'npm'
+      prefix-development: 'npm dev'
+    labels:
+      - 'deps'
+      - 'security'
+    open-pull-requests-limit: 0 # Security updates only
--- a/.github/workflows/ci-code-review.yml
+++ b/.github/workflows/ci-code-review.yml
@ -4,17 +4,20 @@ on:
  pull_request:
    branches: ['main']
  push:
+    branches-ignore:
+      - 'dependabot/*'

 jobs:
  lint:
+    if: ${{ github.actor != 'dependabot[bot]' }}
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
        with:
          node-version: '18'
          cache: 'yarn'
@ -29,6 +32,7 @@ jobs:
        run: yarn lint-all

  sast:
+    if: ${{ github.actor != 'dependabot[bot]' }}
    name: Security Scan
    runs-on: ubuntu-latest
    permissions:
@ -36,29 +40,25 @@ jobs:
      contents: read
      security-events: write

-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['javascript']
-
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      - name: Initialise CodeQL
        uses: github/codeql-action/init@v2
        with:
-          languages: ${{ matrix.language }}
+          languages: 'javascript'

      - name: Run CodeQL
        uses: github/codeql-action/analyze@v2

  sca:
+    if: ${{ github.actor != 'dependabot[bot]' }}
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

      # Fail the job on critical vulnerabiliies with fix available
      - name: Fail on critical vulnerabilities
@ -72,6 +72,7 @@ jobs:
          exit-code: '1'

  all-pass:
+    if: ${{ github.actor != 'dependabot[bot]' }}
    name: All tests pass 🚀
    needs: ['lint', 'sast', 'sca']
    runs-on: ubuntu-latest
--- a/.github/workflows/ci-dep-pr.yml
+++ b/.github/workflows/ci-dep-pr.yml
@ -0,0 +1,25 @@
+name: Dependabot PR Review
+
+on:
+  pull_request:
+    branches: ['main']
+
+jobs:
+  build:
+    name: Build test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn ci
+
+      - name: Test build
+        run: yarn build