perf: exclude node_modules from content globbing in monorepos #691
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| schedule: | |
| - cron: '0 3 * * *' # every day at 03:00 UTC | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| - docusaurus-v** | |
| pull_request: | |
| branches: | |
| - main | |
| - docusaurus-v** | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| supply-chain-checks: | |
| name: Supply Chain Checks | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| - name: Use Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: lts/* | |
| # No cache on purpose! We want SFW to fetch packages | |
| # See https://socket.dev/blog/introducing-socket-firewall | |
| - name: Install Socket Firewall Free | |
| run: npm install -g sfw@2.0.4 | |
| # Ensure our monorepo gets scanned by SFW | |
| - name: Install monorepo dependencies with SFW | |
| run: sfw pnpm install --frozen-lockfile || sfw pnpm install --frozen-lockfile || sfw pnpm install --frozen-lockfile | |
| # Check for malicious lockfile injections | |
| # See https://github.com/lirantal/npm-security-best-practices#4-prevent-npm-lockfile-injection | |
| # TODO lockfile-lint does not support pnpm-lock.yaml yet, so this check is | |
| # disabled until pnpm support lands. | |
| # See https://github.com/lirantal/lockfile-lint#what-about-pnpm-support | |
| # - name: Check for suspicious pnpm-lock.yaml | |
| # # for allowed aliases, see https://github.com/yargs/cliui/pull/139/files#r1670711112 | |
| # run: pnpm lockfile-lint --path pnpm-lock.yaml --type npm --allowed-hosts npm --validate-https --validate-package-names --validate-integrity --empty-hostname=false --allowed-package-name-aliases react-loadable react-helmet-async string-width-cjs strip-ansi-cjs wrap-ansi-cjs react-is-18 react-is-19 | |
| # Generate init template | |
| - name: Generate test-website project against main branch | |
| run: node ./packages/create-docusaurus/bin/index.js ../test-website classic --javascript --skip-install | |
| # Ensure no unexpected lifecycle (preintall/postinstall scripts) | |
| # pnpm has options to fail a build on suspicious lifecycles | |
| - name: Install test-website project with SFW and secure pnpm config | |
| working-directory: ../test-website | |
| run: | | |
| cat > pnpm-workspace.yaml <<'YAML' | |
| blockExoticSubdeps: true | |
| strictDepBuilds: true | |
| allowBuilds: | |
| '@swc/core': false | |
| core-js: false | |
| trustPolicy: no-downgrade | |
| trustPolicyExclude: | |
| - 'detect-port@1.6.1' | |
| - 'semver@6.3.1' | |
| YAML | |
| sfw pnpm install || sfw pnpm install || sfw pnpm install | |
| pnpm build |