Audit dependencies #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Audit dependencies" | |
| on: | |
| # Runs audit every monday | |
| schedule: | |
| - cron: '0 10 * * 1' | |
| # Enable manual run | |
| workflow_dispatch: | |
| jobs: | |
| audit: | |
| # Do not run scheduled audit on tier repositories | |
| if: github.repository == 'glpi-project/glpi' || github.event_name != 'schedule' | |
| permissions: | |
| issues: "write" | |
| name: "Audit dependencies (${{ matrix.branch }})" | |
| runs-on: "ubuntu-latest" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - {branch: "10.0/bugfixes", php-version: "7.4"} | |
| env: | |
| COMPOSE_FILE: ".github/actions/docker-compose-app.yml" | |
| APPLICATION_ROOT: "${{ github.workspace }}" | |
| PHP_IMAGE: "githubactions-php:${{ matrix.php-version }}" | |
| UPDATE_FILES_ACL: true | |
| steps: | |
| - name: "Set env" | |
| run: | | |
| echo "APP_CONTAINER_HOME=${{ runner.temp }}/app_home" >> $GITHUB_ENV | |
| - name: "Checkout" | |
| uses: "actions/checkout@v4" | |
| with: | |
| ref: ${{ matrix.branch }} | |
| - name: "Restore dependencies cache" | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ${{ env.APP_CONTAINER_HOME }}/.composer/cache/ | |
| ${{ env.APP_CONTAINER_HOME }}/.npm/_cacache/ | |
| key: "app_home_deps-${{ matrix.php-version }}-${{ hashFiles('composer.lock', 'package-lock.json') }}" | |
| restore-keys: | | |
| app_home_deps-${{ matrix.php-version }}- | |
| app_home_deps- | |
| - name: "Initialize containers" | |
| run: | | |
| .github/actions/init_containers-start.sh | |
| - name: "Show versions" | |
| run: | | |
| .github/actions/init_show-versions.sh | |
| - name: "Audit npm dependencies" | |
| continue-on-error: true | |
| id: "npmaudit" | |
| run: | | |
| set -o pipefail | |
| CODE=0 | |
| LOG=$( npm audit package-lock-only 2>&1 | tee /dev/stderr ) || CODE=$? | |
| echo "CODE=$CODE" >> $GITHUB_OUTPUT | |
| printf "LOG<<EOF\n$LOG\nEOF" >> $GITHUB_OUTPUT | |
| - name: "Create issue if npm audit fails" | |
| if: "${{ steps.npmaudit.outputs.CODE != '0' }}" | |
| uses: "actions/github-script@v7" | |
| with: | |
| script: | | |
| const result = await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: 'npm audit failed (${{ matrix.branch }})', | |
| body: '```\n' + ${{ toJSON(steps.npmaudit.outputs.LOG) }} + '\n```', | |
| }); | |
| - name: "Audit composer dependencies" | |
| continue-on-error: true | |
| id: "composeraudit" | |
| run: | | |
| set -o pipefail | |
| CODE=0 | |
| LOG=$( composer audit --locked 2>&1 | tee /dev/stderr ) || CODE=$? | |
| echo "CODE=$CODE" >> $GITHUB_OUTPUT | |
| printf "LOG<<EOF\n$LOG\nEOF" >> $GITHUB_OUTPUT | |
| - name: "Create issue if composer audit fails" | |
| if: "${{ steps.composeraudit.outputs.CODE != '0' }}" | |
| uses: "actions/github-script@v7" | |
| with: | |
| script: | | |
| const result = await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: 'composer audit failed (${{ matrix.branch }})', | |
| body: '```\n# composer audit report\n\n' + ${{ toJSON(steps.composeraudit.outputs.LOG) }} + '\n```', | |
| }); |