Bump github/codeql-action from 2 to 3 (#110)

* Bump github/codeql-action from 2 to 3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Bump gitleaks/gitleaks from 8.18.0 to 8.18.1 * Bump fabasoad/pre-commit-snyk from 0.4.0 to 0.5.0 * Bump igorshubovych/markdownlint-cli from 0.37.0 to 0.38.0 * Bump igorshubovych/markdownlint-cli from 0.37.0 to 0.38.0 * Bump igorshubovych/markdownlint-cli from 0.37.0 to 0.38.0 * Bump igorshubovych/markdownlint-cli from 0.37.0 to 0.38.0 * Rollback changes * Rollback changes * Test 1 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugene <[email protected]>
fabasoad · Jan 2, 2024 · acc574e · acc574e
1 parent 19e3a52
commit acc574e
Show file tree

Hide file tree

Showing 21 changed files with 3,033 additions and 4,709 deletions.
diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml
@@ -29,7 +29,8 @@ jobs:
             api-key: SIGHTENGINE_API_SECRET
             threshold: 0.8
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
       - name: Prepare API key
         id: secrets
         run: |
@@ -42,7 +43,8 @@ jobs:
         run: |
           curl https://images-na.ssl-images-amazon.com/images/I/91cDPlxcRiL._SL1500_.jpg --output test.jpg
           git add test.jpg
-      - uses: ./
+      - name: Detect NSFW content
+        uses: ./
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           provider: ${{ matrix.provider }}

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -0,0 +1,57 @@
+---
+name: Linting
+
+on: # yamllint disable-line rule:truthy
+  pull_request: {}
+  push:
+    branches:
+      - main
+
+jobs:
+  eslint:
+    name: ESLint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.10.0"
+      - name: Cache yarn dependencies
+        id: yarn-cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            .yarn/cache
+            node_modules
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}-${{ hashFiles('**/.yarnrc.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Compile
+        if: ${{ steps.yarn-cache.outputs.cache-hit != 'true' }}
+        run: yarn install
+      - name: Run ESLint
+        uses: sibiraj-s/action-eslint@v3
+        with:
+          all-files: "true"
+          ignore-patterns: |
+            .github
+            .yarn
+            coverage
+            dist
+            node_modules
+          eslint-args: "-o eslint-results.sarif -f ${{ github.workspace }}/node_modules/@microsoft/eslint-formatter-sarif/sarif.js"
+          extensions: "js,jsx,ts,tsx"
+          annotations: true
+      - name: Upload to GHAS
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: "eslint"
+          sarif_file: "eslint-results.sarif"
+  pre-commit:
+    name: Pre-commit
+    uses: fabasoad/reusable-workflows/.github/workflows/wf-pre-commit.yml@main
+    with:
+      skip-hooks: "audit, build, eslint, test, snyk-test"
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,8 @@ jobs:
     name: Create release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Get changelog

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,40 +1,59 @@
 ---
 name: Security
 
-on:
+on: # yamllint disable-line rule:truthy
+  pull_request: {}
   push:
     branches:
-      - 'main'
-  pull_request:
+      - main
 
 defaults:
   run:
     shell: sh
 
 jobs:
-  codeql:
-    name: CodeQL
+  code-scanning:
+    name: Code scanning
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['javascript']
     steps:
-      - name: Checkout repository
+      - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.language }}
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+          languages: "javascript"
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        id: codeql-analysis
+        uses: github/codeql-action/analyze@v3
+      - name: Upload to GHAS
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: "code-scanning"
+          sarif_file: "${{ steps.codeql-analysis.outputs.sarif-output }}"
   yarn-audit:
     name: Yarn audit
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
+      - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v4
       - name: Yarn audit
         run: yarn npm audit --all
+  directory-scanning:
+    name: Directory scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
+      - name: Scan current project
+        id: scan-directory
+        uses: anchore/scan-action@v3
+        with:
+          by-cve: "true"
+          path: "."
+      - name: Upload to GHAS
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: "directory-scanning"
+          sarif_file: "${{ steps.scan-directory.outputs.sarif }}"
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -7,15 +7,14 @@ on: # yamllint disable-line rule:truthy
       - main
     paths:
       - .github/labels.yml
-  workflow_dispatch:
+  workflow_dispatch: {}
 
 jobs:
   sync-labels:
     name: Sync labels
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
       - name: Run Label Syncer
         uses: micnncim/action-label-syncer@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -8,7 +8,7 @@ on:
   pull_request:
 
 jobs:
-  unit_tests:
+  unit-tests:
     name: Tests
     timeout-minutes: 5
     runs-on: ubuntu-latest
@@ -19,7 +19,8 @@ jobs:
       SIGHTENGINE_API_USER: ${{ secrets.SIGHTENGINE_API_USER }}
       SIGHTENGINE_API_SECRET: ${{ secrets.SIGHTENGINE_API_SECRET }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
       - name: Cache node_modules
         id: cache
         uses: actions/cache@v3

diff --git a/.github/workflows/update-license.yml b/.github/workflows/update-license.yml
@@ -9,10 +9,12 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: FantasticFiasco/action-update-license-year@v3
+      - name: Update LICENSE file
+        uses: FantasticFiasco/action-update-license-year@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           assignees: ${{ github.repository_owner }}

diff --git a/.gitleaks.toml b/.gitleaks.toml
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1,2 @@
+.yarn/releases/yarn-4.0.2.cjs:aws-access-token:149
+.yarn/releases/yarn-4.0.2.cjs:generic-api-key:567
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -28,28 +28,35 @@ repos:
         verbose: true
         stages: ["push"]
   # Security
+      - id: audit
+        name: Yarn audit
+        entry: yarn npm audit --all
+        language: system
+        pass_filenames: false
+        verbose: false
+        stages: ["push"]
   - repo: https://github.com/Yelp/detect-secrets
     rev: v1.4.0
     hooks:
       - id: detect-secrets
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.0
+    rev: v8.18.1
     hooks:
       - id: gitleaks
   - repo: https://github.com/fabasoad/pre-commit-snyk
-    rev: v0.4.0
+    rev: v0.5.0
     hooks:
       - id: snyk-test
         stages: ["push"]
   # Markdown
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.37.0
+    rev: v0.38.0
     hooks:
       - id: markdownlint-fix
         stages: ["commit"]
   # Yaml
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.32.0
+    rev: v1.33.0
     hooks:
       - id: yamllint
         stages: ["push"]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		.yarn/releases/yarn-4.0.2.cjs:aws-access-token:149
		.yarn/releases/yarn-4.0.2.cjs:generic-api-key:567