|
1 | 1 | name: owasp-dependency-check |
2 | 2 | on: |
3 | | - workflow_dispatch: |
| 3 | + pull_request: |
4 | 4 | release: |
5 | 5 | types: [published] |
6 | | - pull_request: |
7 | | - branches: [dev] |
8 | | - schedule: |
9 | | - - cron: "0 5 * * 1" # weekly, 05:00 UTC Mondays |
| 6 | + workflow_dispatch: |
10 | 7 |
|
11 | 8 | permissions: |
12 | 9 | contents: read |
| 10 | + security-events: write |
13 | 11 |
|
14 | 12 | jobs: |
15 | 13 | depcheck: |
16 | 14 | runs-on: ubuntu-latest |
17 | | - permissions: |
18 | | - contents: read |
19 | | - security-events: write |
20 | | - actions: read |
21 | 15 | steps: |
22 | | - - uses: actions/checkout@v4 |
| 16 | + - name: Checkout (release tag) |
| 17 | + if: github.event_name == 'release' |
| 18 | + uses: actions/checkout@v4 |
| 19 | + with: |
| 20 | + ref: ${{ github.event.release.tag_name }} |
| 21 | + - name: Checkout (PR/default) |
| 22 | + if: github.event_name != 'release' |
| 23 | + uses: actions/checkout@v4 |
23 | 24 |
|
24 | | - - name: Detect JS tooling (bun / node) |
25 | | - id: meta |
26 | | - run: | |
27 | | - set -e |
28 | | - has_file() { git ls-files -z | tr '\0' '\n' | grep -qE "$1" && echo true || echo false; } |
29 | | - echo "has_bun=$(has_file '(^|/)bun\.lockb$')" >> "$GITHUB_OUTPUT" |
30 | | - echo "has_node=$(has_file '(^|/)package\.json$')" >> "$GITHUB_OUTPUT" |
31 | | - echo "has_pnpm_lock=$(has_file '(^|/)pnpm-lock\.yaml$')" >> "$GITHUB_OUTPUT" |
32 | | - echo "has_yarn_lock=$(has_file '(^|/)yarn\.lock$')" >> "$GITHUB_OUTPUT" |
33 | | - echo "has_package_lock=$(has_file '(^|/)package-lock\.json$')" >> "$GITHUB_OUTPUT" |
| 25 | + - name: Setup Bun (repo action) |
| 26 | + uses: ./.github/actions/setup-bun |
34 | 27 |
|
35 | | - - name: Setup Bun (if bun.lockb present) |
36 | | - if: steps.meta.outputs.has_bun == 'true' |
37 | | - run: | |
38 | | - curl -fsSL https://bun.sh/install | bash |
39 | | - echo "$HOME/.bun/bin" >> $GITHUB_PATH |
40 | | - bun --version |
| 28 | + - name: Install workspace deps (Bun) |
| 29 | + run: bun install --frozen-lockfile || bun install |
41 | 30 |
|
42 | | - - name: Install JS deps for analysis |
43 | | - if: steps.meta.outputs.has_bun == 'true' || steps.meta.outputs.has_node == 'true' |
| 31 | + - name: Ensure per-package node_modules (symlink to root) |
44 | 32 | run: | |
45 | 33 | set -e |
46 | | - if [ "${{ steps.meta.outputs.has_bun }}" = "true" ]; then |
47 | | - bun install --frozen-lockfile || bun install |
48 | | - else |
49 | | - sudo apt-get update -y |
50 | | - sudo apt-get install -y nodejs npm || true |
51 | | - npm i -g corepack || true |
52 | | - corepack enable || true |
53 | | - if [ "${{ steps.meta.outputs.has_pnpm_lock }}" = "true" ]; then corepack prepare pnpm@9 --activate || true; pnpm install --frozen-lockfile || pnpm install || true; fi |
54 | | - if [ "${{ steps.meta.outputs.has_package_lock }}" = "true" ]; then npm ci || npm i || true; fi |
55 | | - if [ "${{ steps.meta.outputs.has_yarn_lock }}" = "true" ]; then corepack prepare yarn@stable --activate || true; yarn install --frozen-lockfile || yarn install || true; fi |
56 | | - fi |
| 34 | + root_nm="$(pwd)/node_modules" |
| 35 | + if [ ! -d "$root_nm" ]; then echo 'No root node_modules after bun install' >&2; exit 1; fi |
| 36 | + # create a node_modules symlink in every workspace package that lacks one |
| 37 | + git ls-files -z | tr '\0' '\n' | grep -E '(^|/)package.json$' | while read -r pj; do |
| 38 | + pkgdir="$(dirname "$pj")" |
| 39 | + [ "$pkgdir" = ".github/actions/setup-bun" ] && continue |
| 40 | + if [ ! -d "$pkgdir/node_modules" ]; then |
| 41 | + echo "linking $pkgdir/node_modules -> $root_nm" |
| 42 | + ln -s "$root_nm" "$pkgdir/node_modules" || true |
| 43 | + fi |
| 44 | + done |
57 | 45 |
|
58 | 46 | - name: Cache dependency-check data |
59 | 47 | uses: actions/cache@v4 |
60 | 48 | with: |
61 | 49 | path: ~/.m2/repository/org/owasp/dependency-check-data/ |
62 | | - key: depcheck-data-${{ runner.os }}-${{ hashFiles('**/pom.xml') }} |
| 50 | + key: depcheck-data-${{ runner.os }}-v2 |
63 | 51 | restore-keys: | |
64 | 52 | depcheck-data-${{ runner.os }}- |
65 | 53 |
|
66 | 54 | - name: Run OWASP Dependency-Check |
67 | 55 | uses: dependency-check/[email protected] |
68 | | - env: |
69 | | - JAVA_HOME: /opt/jdk |
70 | 56 | with: |
71 | | - project: "OpenCode" |
72 | | - path: "." |
| 57 | + project: OpenCode |
| 58 | + path: . |
73 | 59 | format: ALL |
| 60 | + args: --enableExperimental |
74 | 61 |
|
75 | 62 | - name: Upload reports |
76 | 63 | uses: actions/upload-artifact@v4 |
77 | 64 | with: |
78 | 65 | name: owasp-depcheck-report |
79 | | - path: reports |
| 66 | + path: reports/** |
0 commit comments