Merge pull request #27 from Stassi/feature/codeql-security

feature/codeql-security
Stassi · Sep 25, 2024 · 3219f44 · 3219f44
2 parents 7068b94 + d031529
commit 3219f44
Show file tree

Hide file tree

Showing 5 changed files with 69 additions and 18 deletions.
diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -14,14 +14,14 @@ jobs:
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.7
 
       - name: Node.js setup
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v4.0.4
         with:
           cache: npm
           cache-dependency-path: package-lock.json
-          node-version: 20.17.x
+          node-version: 20.17.0
           registry-url: https://registry.npmjs.org
 
       - name: Dependencies installation

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -13,15 +13,15 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [ 18.20.x, 20.17.x ]
+        node-version: [ 18.20.4, 20.17.0 ]
         os: [ macos-latest, ubuntu-latest, windows-latest ]
 
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.7
 
       - name: Node.js setup ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v4.0.4
         with:
           cache: npm
           cache-dependency-path: package-lock.json

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,28 +1,79 @@
 name: Security
 
-on: push
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: '25 16 * * 4'
 
 jobs:
-  security:
-    name: Snyk
-    runs-on: ubuntu-latest
-
+  codeql:
+    name: CodeQL
     permissions:
+      packages: read
       security-events: write
+    runs-on: ubuntu-latest
 
     steps:
       - name: Repository checkout
         uses: actions/[email protected]
 
-      - continue-on-error: true
+      - name: Node.js setup
+        uses: actions/[email protected]
+        with:
+          cache: npm
+          cache-dependency-path: package-lock.json
+          node-version: 18.20.4
+
+      - name: Dependencies installation
+        run: npm ci
+
+      - name: Test
+        run: npm test
+
+      - name: Initialization
+        uses: github/codeql-action/[email protected]
+        with:
+          languages: 'javascript-typescript'
+
+      - name: Analysis
+        uses: github/codeql-action/[email protected]
+
+      - name: Results upload
+        uses: github/codeql-action/[email protected]
+        with:
+          category: codeql-analysis
+
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Repository checkout
+        uses: actions/[email protected]
+
+      - name: Node.js setup
+        uses: actions/[email protected]
+        with:
+          cache: npm
+          cache-dependency-path: package-lock.json
+          node-version: 18.20.4
+
+      - name: Dependencies installation
+        run: npm ci
+
+      - name: Analysis
+        continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        name: Snyk vulnerabilities scan
         uses: snyk/actions/[email protected]
         with:
           args: --sarif-file-output=snyk.sarif
 
-      - name: SARIF upload to GitHub Code Scanning
-        uses: github/codeql-action/[email protected].8
+      - name: Results upload
+        uses: github/codeql-action/[email protected].9
         with:
+          category: snyk-analysis
           sarif_file: snyk.sarif
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stassi/leaf",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "description": "Leaflet adapter.",
   "keywords": [
     "cartography",