From 3ada426cbd37d0459252e983e9afaac1ef900dbc Mon Sep 17 00:00:00 2001
From: Arthur Geron <3487334+arthurgeron@users.noreply.github.com>
Date: Wed, 7 Aug 2024 18:12:14 -0300
Subject: [PATCH] feat: add audit and strict audit actions

---
 README.md                       |  1 +
 audits/lenient-audit/README.md  | 27 ++++++++++++++++++++++
 audits/lenient-audit/action.yml | 41 +++++++++++++++++++++++++++++++++
 audits/strict-audit/README.md   | 27 ++++++++++++++++++++++
 audits/strict-audit/action.yml  | 23 ++++++++++++++++++
 5 files changed, 119 insertions(+)
 create mode 100644 audits/lenient-audit/README.md
 create mode 100644 audits/lenient-audit/action.yml
 create mode 100644 audits/strict-audit/README.md
 create mode 100644 audits/strict-audit/action.yml

diff --git a/README.md b/README.md
index 0a20207..17dcab3 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ Repoistory to host all of Fuel's reusable workflows
 
 | Group                             | Description                                                      |
 | --------------------------------- | ---------------------------------------------------------------- |
+| [audit](./audits/)                | Reusable workflows for auditing npm packages                     |
 | [changeset](./changeset/)         | Reusable workflow for create changesets and release npm packages |
 | [gh-projects](./gh-projects/)     | Automating interactions between GH Projects and repositories     |
 | [setups/node](./setups/node/)     | Setup node and pnpm requirements on CI                           |
diff --git a/audits/lenient-audit/README.md b/audits/lenient-audit/README.md
new file mode 100644
index 0000000..66cb7cc
--- /dev/null
+++ b/audits/lenient-audit/README.md
@@ -0,0 +1,27 @@
+### Audit
+
+A github action that runs audit and does not fails if the reported vulnerabilities have not yet been fixed.
+
+### How to use?
+
+```yml
+- uses: FuelLabs/github-actions/audits/lenient-audit
+  with:
+    node-version: 18.14.1
+    pnpm-version: latest
+```
+
+### Inputs
+
+| Name         | Description  |
+| ------------ | ------------ |
+| node-version | Node version |
+| pnpm-version | PNPM version |
+
+### Outputs
+
+No outputs defined
+
+## License
+
+The primary license for this repo is `Apache 2.0`, see [`LICENSE`](../../LICENSE.md).
diff --git a/audits/lenient-audit/action.yml b/audits/lenient-audit/action.yml
new file mode 100644
index 0000000..49aace9
--- /dev/null
+++ b/audits/lenient-audit/action.yml
@@ -0,0 +1,41 @@
+name: Lenient Audit
+
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        required: true
+        type: string
+      pnpm-version:
+        required: true
+        type: string
+
+jobs:
+  audit:
+    name: Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./setups/node
+        with:
+          node-version: ${{ inputs.node-version }}
+          pnpm-version: ${{ inputs.pnpm-version }}
+      - name: Install jq
+        run: sudo apt-get install jq
+      - run: |
+          pnpm audit --prod --json | jq '
+            def has_fix: 
+              .advisories | to_entries | map(.value.patched_versions != "<0.0.0") | any;
+            if has_fix then
+              1
+            else
+              0
+            end
+          ' > audit_result.txt
+          if [ "$(cat audit_result.txt)" -eq "1" ]; then
+            echo "Actionable vulnerabilities found"
+            exit 1
+          else
+            echo "No actionable vulnerabilities"
+            exit 0
+          fi
\ No newline at end of file
diff --git a/audits/strict-audit/README.md b/audits/strict-audit/README.md
new file mode 100644
index 0000000..8b9643f
--- /dev/null
+++ b/audits/strict-audit/README.md
@@ -0,0 +1,27 @@
+### Strict Audit
+
+A github action that runs audit without ignoring vulnerabilities that have not been fixed.
+
+### How to use?
+
+```yml
+- uses: FuelLabs/github-actions/audits/strict-audit
+  with:
+    node-version: 18.14.1
+    pnpm-version: latest
+```
+
+### Inputs
+
+| Name         | Description  |
+| ------------ | ------------ |
+| node-version | Node version |
+| pnpm-version | PNPM version |
+
+### Outputs
+
+No outputs defined
+
+## License
+
+The primary license for this repo is `Apache 2.0`, see [`LICENSE`](../../LICENSE.md).
diff --git a/audits/strict-audit/action.yml b/audits/strict-audit/action.yml
new file mode 100644
index 0000000..6357557
--- /dev/null
+++ b/audits/strict-audit/action.yml
@@ -0,0 +1,23 @@
+name: Strict Audit
+
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        required: true
+        type: string
+      pnpm-version:
+        required: true
+        type: string
+
+jobs:
+  strict-audit:
+    name: Strict Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./setups/node
+        with:
+          node-version: ${{ inputs.node-version }}
+          pnpm-version: ${{ inputs.pnpm-version }}
+      - run: pnpm audit --prod
\ No newline at end of file