mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-11 02:33:10 +08:00
09e2bc58d3
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...df4cb1c069)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
name: Supply-Chain Watch
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '17 */6 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
ioc-watch:
|
|
name: IOC watch
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20.x'
|
|
|
|
- name: Install dependencies without lifecycle scripts
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Verify registry signatures and advisories
|
|
run: |
|
|
npm audit signatures
|
|
npm audit --audit-level=high
|
|
|
|
- name: Validate IOC scanner fixtures
|
|
run: node tests/ci/scan-supply-chain-iocs.test.js
|
|
|
|
- name: Validate advisory source fixtures
|
|
run: node tests/ci/supply-chain-advisory-sources.test.js
|
|
|
|
- name: Generate IOC report
|
|
run: |
|
|
mkdir -p artifacts
|
|
node scripts/ci/scan-supply-chain-iocs.js --json > artifacts/supply-chain-ioc-report.json
|
|
|
|
- name: Generate advisory source report
|
|
run: node scripts/ci/supply-chain-advisory-sources.js --refresh --json > artifacts/supply-chain-advisory-sources.json
|
|
|
|
- name: Validate workflow hardening rules
|
|
run: node scripts/ci/validate-workflow-security.js
|
|
|
|
- name: Upload IOC report
|
|
if: always()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: supply-chain-ioc-report
|
|
path: |
|
|
artifacts/supply-chain-ioc-report.json
|
|
artifacts/supply-chain-advisory-sources.json
|
|
retention-days: 14
|