fix: path-to-regexp vulnerability #1341
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
strategy: | |
matrix: | |
node-version: [20.x] | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Cache node modules | |
uses: actions/cache@v1 | |
with: | |
path: node_modules | |
key: yarn-deps-${{ hashFiles('yarn.lock') }} | |
restore-keys: | | |
yarn-deps-${{ hashFiles('yarn.lock') }} | |
- name: Lint the content | |
run: | | |
yarn config set workspaces-experimental true | |
yarn install --frozen-lockfile | |
yarn build | |
yarn lint | |
yarn test | |
cdn: | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
permissions: | |
contents: write | |
needs: | |
- test | |
strategy: | |
matrix: | |
node-version: [20.x] | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.DISPATCH_ACCESS_TOKEN }} | |
- name: Set up Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Cache node modules | |
uses: actions/cache@v1 | |
with: | |
path: node_modules | |
key: yarn-deps-${{ hashFiles('yarn.lock') }} | |
restore-keys: | | |
yarn-deps-${{ hashFiles('yarn.lock') }} | |
- name: Create CDN build | |
env: | |
GITHUB_TOKEN: ${{ secrets.DISPATCH_ACCESS_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
run: | | |
yarn config set workspaces-experimental true | |
yarn install --frozen-lockfile | |
git fetch --tags | |
PACKAGE_VERSION=$($GITHUB_WORKSPACE/node_modules/.bin/auto shipit -dq) yarn build | |
- name: Push compiled content | |
uses: s0/git-publish-subdir-action@develop | |
env: | |
REPO: self | |
BRANCH: cdn | |
FOLDER: packages/embed-cdn/lib | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release: | |
if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci') && github.repository_owner == 'gr4vy' && github.ref == 'refs/heads/main'" | |
runs-on: ubuntu-latest | |
needs: | |
- test | |
strategy: | |
matrix: | |
node-version: [20.x] | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.DISPATCH_ACCESS_TOKEN }} | |
- name: Prepare repository | |
run: git fetch --unshallow --tags | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Cache node modules | |
uses: actions/cache@v1 | |
with: | |
path: node_modules | |
key: yarn-deps-${{ hashFiles('yarn.lock') }} | |
restore-keys: | | |
yarn-deps-${{ hashFiles('yarn.lock') }} | |
- name: Create Release | |
env: | |
GITHUB_TOKEN: ${{ secrets.DISPATCH_ACCESS_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
run: | | |
yarn config set workspaces-experimental true | |
yarn install --frozen-lockfile | |
PACKAGE_VERSION=$($GITHUB_WORKSPACE/node_modules/.bin/auto shipit -dq) yarn build | |
yarn release | |
scan: | |
runs-on: ubuntu-latest | |
timeout-minutes: 2 | |
strategy: | |
matrix: | |
node-version: | |
- 20.x | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
exit-code: 1 | |
env: | |
TRIVY_DB_REPOSITORY: us-docker.pkg.dev/gr4vy-admin/aquasecurity/trivy-db |