diff --git a/README.md b/README.md index 0a20207..17dcab3 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Repoistory to host all of Fuel's reusable workflows | Group | Description | | --------------------------------- | ---------------------------------------------------------------- | +| [audit](./audits/) | Reusable workflows for auditing npm packages | | [changeset](./changeset/) | Reusable workflow for create changesets and release npm packages | | [gh-projects](./gh-projects/) | Automating interactions between GH Projects and repositories | | [setups/node](./setups/node/) | Setup node and pnpm requirements on CI | diff --git a/audits/lenient-audit/README.md b/audits/lenient-audit/README.md new file mode 100644 index 0000000..66cb7cc --- /dev/null +++ b/audits/lenient-audit/README.md @@ -0,0 +1,27 @@ +### Audit + +A github action that runs audit and does not fails if the reported vulnerabilities have not yet been fixed. + +### How to use? + +```yml +- uses: FuelLabs/github-actions/audits/lenient-audit + with: + node-version: 18.14.1 + pnpm-version: latest +``` + +### Inputs + +| Name | Description | +| ------------ | ------------ | +| node-version | Node version | +| pnpm-version | PNPM version | + +### Outputs + +No outputs defined + +## License + +The primary license for this repo is `Apache 2.0`, see [`LICENSE`](../../LICENSE.md). diff --git a/audits/lenient-audit/action.yml b/audits/lenient-audit/action.yml new file mode 100644 index 0000000..49aace9 --- /dev/null +++ b/audits/lenient-audit/action.yml @@ -0,0 +1,41 @@ +name: Lenient Audit + +on: + workflow_call: + inputs: + node-version: + required: true + type: string + pnpm-version: + required: true + type: string + +jobs: + audit: + name: Audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./setups/node + with: + node-version: ${{ inputs.node-version }} + pnpm-version: ${{ inputs.pnpm-version }} + - name: Install jq + run: sudo apt-get install jq + - run: | + pnpm audit --prod --json | jq ' + def has_fix: + .advisories | to_entries | map(.value.patched_versions != "<0.0.0") | any; + if has_fix then + 1 + else + 0 + end + ' > audit_result.txt + if [ "$(cat audit_result.txt)" -eq "1" ]; then + echo "Actionable vulnerabilities found" + exit 1 + else + echo "No actionable vulnerabilities" + exit 0 + fi \ No newline at end of file diff --git a/audits/strict-audit/README.md b/audits/strict-audit/README.md new file mode 100644 index 0000000..8b9643f --- /dev/null +++ b/audits/strict-audit/README.md @@ -0,0 +1,27 @@ +### Strict Audit + +A github action that runs audit without ignoring vulnerabilities that have not been fixed. + +### How to use? + +```yml +- uses: FuelLabs/github-actions/audits/strict-audit + with: + node-version: 18.14.1 + pnpm-version: latest +``` + +### Inputs + +| Name | Description | +| ------------ | ------------ | +| node-version | Node version | +| pnpm-version | PNPM version | + +### Outputs + +No outputs defined + +## License + +The primary license for this repo is `Apache 2.0`, see [`LICENSE`](../../LICENSE.md). diff --git a/audits/strict-audit/action.yml b/audits/strict-audit/action.yml new file mode 100644 index 0000000..6357557 --- /dev/null +++ b/audits/strict-audit/action.yml @@ -0,0 +1,23 @@ +name: Strict Audit + +on: + workflow_call: + inputs: + node-version: + required: true + type: string + pnpm-version: + required: true + type: string + +jobs: + strict-audit: + name: Strict Audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./setups/node + with: + node-version: ${{ inputs.node-version }} + pnpm-version: ${{ inputs.pnpm-version }} + - run: pnpm audit --prod \ No newline at end of file