diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c602d0130735..19eb57fe03cb 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -62,40 +62,6 @@ jobs:
run: yarn lint
if: success()
- audit-ci:
- name: Run audit-ci
- needs: prebuild
- runs-on: ubuntu-latest
- timeout-minutes: 15
- steps:
- - name: Checkout repo
- uses: actions/checkout@v3
- with:
- fetch-depth: 0
- submodules: true
-
- - name: Install Node.js v16
- uses: actions/setup-node@v3
- with:
- node-version: "16"
-
- - name: Fetch dependencies from cache
- id: cache-yarn
- uses: actions/cache@v3
- with:
- path: "**/node_modules"
- key: yarn-build-${{ hashFiles('**/yarn.lock') }}
- restore-keys: |
- yarn-build-
-
- - name: Install dependencies
- if: steps.cache-yarn.outputs.cache-hit != 'true'
- run: yarn --frozen-lockfile
-
- - name: Audit for vulnerabilities
- run: yarn _audit
- if: success()
-
build:
name: Build
needs: prebuild
@@ -596,30 +562,3 @@ jobs:
- name: Remove release packages and test artifacts
run: rm -rf ./release-packages ./test/test-results
-
- trivy-scan-repo:
- permissions:
- contents: read # for actions/checkout to fetch code
- security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
- runs-on: ubuntu-20.04
- steps:
- - name: Checkout repo
- uses: actions/checkout@v3
- with:
- fetch-depth: 0
-
- - name: Run Trivy vulnerability scanner in repo mode
- uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
- with:
- scan-type: "fs"
- scan-ref: "."
- ignore-unfixed: true
- format: "template"
- template: "@/contrib/sarif.tpl"
- output: "trivy-repo-results.sarif"
- severity: "HIGH,CRITICAL"
-
- - name: Upload Trivy scan results to GitHub Security tab
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: "trivy-repo-results.sarif"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index 56339a1cce56..000000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-name: "Code Scanning"
-
-on:
- push:
- branches: [main]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [main]
- schedule:
- # Runs every Monday morning PST
- - cron: "17 15 * * 1"
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
- cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-permissions:
- contents: read
-
-jobs:
- analyze:
- permissions:
- actions: read # for github/codeql-action/init to get workflow details
- contents: read # for actions/checkout to fetch code
- security-events: write # for github/codeql-action/autobuild to send a status report
- name: Analyze
- runs-on: ubuntu-20.04
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v3
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v2
- with:
- config-file: ./.github/codeql-config.yml
- languages: javascript
-
- - name: Autobuild
- uses: github/codeql-action/autobuild@v2
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
new file mode 100644
index 000000000000..80d73ddbfcc9
--- /dev/null
+++ b/.github/workflows/security.yaml
@@ -0,0 +1,103 @@
+name: "Security Scanning"
+
+on:
+ push:
+ branches: [main]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [main]
+ schedule:
+ # Runs every Monday morning PST
+ - cron: "17 15 * * 1"
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+ audit-ci:
+ name: Run audit-ci
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ steps:
+ - name: Checkout repo
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ - name: Install Node.js v16
+ uses: actions/setup-node@v3
+ with:
+ node-version: "16"
+
+ - name: Fetch dependencies from cache
+ id: cache-yarn
+ uses: actions/cache@v3
+ with:
+ path: "**/node_modules"
+ key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+ restore-keys: |
+ yarn-build-
+
+ - name: Install dependencies
+ if: steps.cache-yarn.outputs.cache-hit != 'true'
+ run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile
+
+ - name: Audit for vulnerabilities
+ run: yarn _audit
+ if: success()
+
+ trivy-scan-repo:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Checkout repo
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ - name: Run Trivy vulnerability scanner in repo mode
+ uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
+ with:
+ scan-type: "fs"
+ scan-ref: "."
+ ignore-unfixed: true
+ format: "template"
+ template: "@/contrib/sarif.tpl"
+ output: "trivy-repo-results.sarif"
+ severity: "HIGH,CRITICAL"
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: "trivy-repo-results.sarif"
+
+ codeql-analyze:
+ permissions:
+ actions: read # for github/codeql-action/init to get workflow details
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/autobuild to send a status report
+ name: Analyze
+ runs-on: ubuntu-20.04
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ config-file: ./.github/codeql-config.yml
+ languages: javascript
+
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2