mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-12 03:03:23 +08:00
02fb737087
Bumps the actions-minor-and-patch group with 1 update in the / directory: [actions/setup-node](https://github.com/actions/setup-node).
Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](53b83947a5...48b55a011b)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: actions-minor-and-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
name: Supply-Chain Watch
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '17 */6 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
ioc-watch:
|
|
name: IOC watch
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: '20.x'
|
|
|
|
- name: Install dependencies without lifecycle scripts
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Verify registry signatures and advisories
|
|
run: |
|
|
npm audit signatures
|
|
npm audit --audit-level=high
|
|
|
|
- name: Validate IOC scanner fixtures
|
|
run: node tests/ci/scan-supply-chain-iocs.test.js
|
|
|
|
- name: Validate advisory source fixtures
|
|
run: node tests/ci/supply-chain-advisory-sources.test.js
|
|
|
|
- name: Generate IOC report
|
|
run: |
|
|
mkdir -p artifacts
|
|
node scripts/ci/scan-supply-chain-iocs.js --json > artifacts/supply-chain-ioc-report.json
|
|
|
|
- name: Generate advisory source report
|
|
run: node scripts/ci/supply-chain-advisory-sources.js --refresh --json > artifacts/supply-chain-advisory-sources.json
|
|
|
|
- name: Validate workflow hardening rules
|
|
run: node scripts/ci/validate-workflow-security.js
|
|
|
|
- name: Upload IOC report
|
|
if: always()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: supply-chain-ioc-report
|
|
path: |
|
|
artifacts/supply-chain-ioc-report.json
|
|
artifacts/supply-chain-advisory-sources.json
|
|
retention-days: 14
|