Security & Dependency Updates #10

Workflow file for this run

.github/workflows/security.yml at 714b688

	name: Security & Dependency Updates

	on:
	schedule:
	# Run weekly on Sundays at 3 AM UTC
	- cron: '0 3 * * 0'
	workflow_dispatch:

	permissions:
	contents: write
	pull-requests: write
	security-events: write

	jobs:
	# =========================================
	# Dependency Updates
	# =========================================
	dependabot-auto-merge:
	name: Auto-merge Dependabot PRs
	runs-on: ubuntu-latest
	if: github.actor == 'dependabot[bot]'

	steps:
	- name: Fetch Dependabot metadata
	id: metadata
	uses: dependabot/fetch-metadata@v2
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}

	- name: Auto-merge patch updates
	if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
	run: gh pr merge --auto --merge "$PR_URL"
	env:
	PR_URL: ${{ github.event.pull_request.html_url }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	# =========================================
	# Security Scanning
	# =========================================
	security-scan:
	name: Security Vulnerability Scan
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'

	# =========================================
	# License Compliance
	# =========================================
	license-check:
	name: Check Licenses
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Install pnpm
	uses: pnpm/action-setup@v3
	with:
	version: 9

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '20'
	cache: 'pnpm'

	- name: Install dependencies
	run: pnpm install --frozen-lockfile

	- name: Check licenses
	run: npx license-checker --failOn "GPL;AGPL" --summary

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security & Dependency Updates #10

Workflow file

Security & Dependency Updates #10

Uh oh!

Workflow file for this run