Merge pull request #34 from chainguard-dev/dependabot/npm_and_yarn/al… #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Malcontent Analysis on Push | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: {} | |
| jobs: | |
| malcontent: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 2 # Need at least 2 commits for HEAD~1 | |
| - name: Run Malcontent Diff | |
| id: malcontent | |
| uses: ./ # In actual usage, this would be: chainguard-dev/malcontent-action@... | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b #v3.29.0 - 11 Jun 2025 | |
| if: always() # Upload even if the malcontent check fails | |
| with: | |
| sarif_file: ${{ steps.malcontent.outputs.sarif-file }} | |
| category: malcontent |