mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-05-16 22:03:05 +08:00
66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
name: Supply-Chain Watch
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '17 */6 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
ioc-watch:
|
|
name: IOC watch
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: '20.x'
|
|
|
|
- name: Install dependencies without lifecycle scripts
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Verify registry signatures and advisories
|
|
run: |
|
|
npm audit signatures
|
|
npm audit --audit-level=high
|
|
|
|
- name: Validate IOC scanner fixtures
|
|
run: node tests/ci/scan-supply-chain-iocs.test.js
|
|
|
|
- name: Validate advisory source fixtures
|
|
run: node tests/ci/supply-chain-advisory-sources.test.js
|
|
|
|
- name: Generate IOC report
|
|
run: |
|
|
mkdir -p artifacts
|
|
node scripts/ci/scan-supply-chain-iocs.js --json > artifacts/supply-chain-ioc-report.json
|
|
|
|
- name: Generate advisory source report
|
|
run: node scripts/ci/supply-chain-advisory-sources.js --refresh --json > artifacts/supply-chain-advisory-sources.json
|
|
|
|
- name: Validate workflow hardening rules
|
|
run: node scripts/ci/validate-workflow-security.js
|
|
|
|
- name: Upload IOC report
|
|
if: always()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: supply-chain-ioc-report
|
|
path: |
|
|
artifacts/supply-chain-ioc-report.json
|
|
artifacts/supply-chain-advisory-sources.json
|
|
retention-days: 14
|