zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-17 14:23:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add scheduled supply-chain watch workflow

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-15 16:35:25 -04:00
committed by Affaan Mustafa
parent 6887f2952d
commit 6951b8d5d2
4 changed files with 154 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
tests/ci/supply-chain-watch-workflow.test.js Normal file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env node
/**
* Validate the scheduled supply-chain watch workflow contract.
*/
const assert = require('assert');
const fs = require('fs');
const path = require('path');
const WORKFLOW_PATH = path.join(
__dirname,
'..',
'..',
'.github',
'workflows',
'supply-chain-watch.yml',
);
function test(name, fn) {
try {
fn();
console.log(`${name}`);
return true;
} catch (error) {
console.log(`${name}`);
console.log(` Error: ${error.message}`);
return false;
}
}
function run() {
console.log('\n=== Testing supply-chain watch workflow ===\n');
const source = fs.readFileSync(WORKFLOW_PATH, 'utf8');
let passed = 0;
let failed = 0;
if (test('runs on schedule and manual dispatch', () => {
assert.match(source, /schedule:\r?\n\s+- cron: '17 \*\/6 \* \* \*'/);
assert.match(source, /workflow_dispatch:/);
})) passed++; else failed++;
if (test('uses read-only permissions and non-persisting checkout credentials', () => {
assert.match(source, /permissions:\r?\n\s+contents: read/);
assert.doesNotMatch(source, /^\s+[A-Za-z-]+:\s*write\b/m);
assert.match(source, /uses: actions\/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd/);
assert.match(source, /persist-credentials: false/);
assert.doesNotMatch(source, /id-token:\s*write/);
assert.doesNotMatch(source, /actions\/cache@/);
})) passed++; else failed++;
if (test('installs without lifecycle scripts and verifies registry signatures', () => {
assert.match(source, /npm ci --ignore-scripts/);
assert.match(source, /npm audit signatures/);
assert.match(source, /npm audit --audit-level=high/);
})) passed++; else failed++;
if (test('runs IOC fixtures, emits JSON report, and uploads the artifact', () => {
assert.match(source, /node tests\/ci\/scan-supply-chain-iocs\.test\.js/);
assert.match(source, /node scripts\/ci\/scan-supply-chain-iocs\.js --json > artifacts\/supply-chain-ioc-report\.json/);
assert.match(source, /node scripts\/ci\/validate-workflow-security\.js/);
assert.match(source, /uses: actions\/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a/);
assert.match(source, /name: supply-chain-ioc-report/);
assert.match(source, /retention-days: 14/);
})) passed++; else failed++;
console.log(`\nPassed: ${passed}`);
console.log(`Failed: ${failed}`);
process.exit(failed > 0 ? 1 : 0);
}
run();