deps: Bump @radix-ui/react-avatar from 1.1.11 to 1.2.0 #417
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 6 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| statuses: write | |
| jobs: | |
| audit: | |
| name: Dependency Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - run: npm ci --ignore-scripts | |
| - name: Production dependency audit (fail on moderate+) | |
| run: npm audit --omit=dev --audit-level=moderate | |
| - name: Full dependency audit (informational) | |
| run: npm audit || true | |
| - name: Check for outdated dependencies | |
| run: npm outdated || true | |
| snyk: | |
| name: Snyk Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'schedule' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - run: npm ci --ignore-scripts | |
| - name: Run Snyk to check for vulnerabilities | |
| continue-on-error: true | |
| uses: snyk/actions/node@v1.0.0 | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| lint: | |
| name: Lint & Static Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - run: npm ci --ignore-scripts | |
| - name: Run ESLint | |
| run: npm run lint | |
| test-security: | |
| name: Security Tests | |
| runs-on: ubuntu-latest | |
| env: | |
| ELECTRON_SKIP_BINARY_DOWNLOAD: '1' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y python3 make g++ | |
| - run: npm ci | |
| - name: Rebuild native modules | |
| run: npm rebuild better-sqlite3-multiple-ciphers | |
| - name: Run cross-org access tests | |
| run: npm run test:security | |
| - name: Run business logic tests | |
| run: npm run test:business | |
| - name: Run compliance validation tests | |
| run: npm run test:compliance | |
| load-test: | |
| name: Performance Load Test | |
| runs-on: ubuntu-latest | |
| env: | |
| ELECTRON_SKIP_BINARY_DOWNLOAD: '1' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y python3 make g++ | |
| - run: npm ci | |
| - name: Rebuild native modules | |
| run: npm rebuild better-sqlite3-multiple-ciphers | |
| - name: Run load tests | |
| run: npm run test:load | |
| lockfile-check: | |
| name: Lockfile Integrity | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - name: Verify lockfile is committed | |
| run: | | |
| if [ ! -f package-lock.json ]; then | |
| echo "::warning::package-lock.json is not committed. Dependency pinning is recommended." | |
| fi | |
| - name: Verify clean install matches lockfile | |
| run: npm ci --ignore-scripts | |
| report-audit-status: | |
| name: Report audit status | |
| runs-on: ubuntu-latest | |
| needs: audit | |
| if: always() | |
| steps: | |
| - name: Set audit commit status | |
| uses: actions/github-script@v9 | |
| with: | |
| script: | | |
| const state = '${{ needs.audit.result }}' === 'success' ? 'success' : 'failure'; | |
| const sha = context.payload.pull_request | |
| ? context.payload.pull_request.head.sha | |
| : context.sha; | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha, | |
| state, | |
| context: 'audit', | |
| description: `Dependency audit ${state}`, | |
| target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}` | |
| }); | |
| report-snyk-status: | |
| name: Report snyk status | |
| runs-on: ubuntu-latest | |
| needs: snyk | |
| if: always() | |
| steps: | |
| - name: Set snyk commit status | |
| uses: actions/github-script@v9 | |
| with: | |
| script: | | |
| const result = '${{ needs.snyk.result }}'; | |
| const state = (result === 'success' || result === 'skipped') ? 'success' : 'failure'; | |
| const sha = context.payload.pull_request | |
| ? context.payload.pull_request.head.sha | |
| : context.sha; | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha, | |
| state, | |
| context: 'snyk', | |
| description: `Snyk vulnerability scan ${state}`, | |
| target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}` | |
| }); |