Skip to content

Add Epoch 1000 validator edition page #479

Add Epoch 1000 validator edition page

Add Epoch 1000 validator edition page #479

Workflow file for this run

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly full scan so new detection rules / advisories surface even
# without code changes.
- cron: "0 17 * * 1"
permissions:
contents: read
jobs:
secrets-scan:
name: Secrets scan (gitleaks)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install gitleaks
env:
GITLEAKS_VERSION: "8.30.1"
# Pinned binary. Verify against the official checksums when bumping:
# https://github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_checksums.txt
# (line: gitleaks_8.30.1_linux_x64.tar.gz)
GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
run: |
set -euo pipefail
curl -sSfL -o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
echo "${GITLEAKS_SHA256} /tmp/gitleaks.tar.gz" | sha256sum -c -
tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
- name: Scan full git history for secrets
run: /tmp/gitleaks git --redact --exit-code 1 .
dependency-audit:
name: Dependency audit (pnpm)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: 10.15.1
run_install: false
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version-file: .node-version
- name: Audit production dependencies
# Fails on High/Critical advisories per the Solana Foundation SDLC.
# Known-unfixable advisories are ignored via auditConfig.ignoreGhsas
# in pnpm-workspace.yaml with a documented justification.
run: pnpm audit --audit-level high --prod