fix: package.json & package-lock.json to reduce vulnerabilities #3333
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: [push] | |
| jobs: | |
| # -- TESTS ------------------------------------------------------------------ | |
| tests: | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node: ['18'] | |
| mongodb: ['5.0'] | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| auth.docker.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| snyk.io:443 | |
| docker.io:443 | |
| auth.docker.io:443 | |
| production.cloudflare.docker.com:443 | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| check-latest: true | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Start MongoDB | |
| uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0 | |
| with: | |
| mongodb-version: ${{ matrix.mongodb }} | |
| mongodb-db: encryptionAPI | |
| - name: Run Unit-Tests + Code Coverage | |
| run: npm run test:coverage | |
| - name: Save Code Coverage | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: code-coverage | |
| path: coverage | |
| # -- SONARCLOUD ------------------------------------------------------------- | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| sonarcloud.io:443 | |
| scanner.sonarcloud.io:443 | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Download Code Coverage | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: code-coverage | |
| path: coverage | |
| - name: Get App Version | |
| run: ./scripts/version.sh | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # -- SAST SCAN -------------------------------------------------------------- | |
| code-security: | |
| name: Code Security | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| registry.npmjs.org:443 | |
| registry-1.docker.io:443 | |
| osv-vulnerabilities.storage.googleapis.com:443 | |
| nvd.nist.gov:443 | |
| pypi.org:443 | |
| location.services.mozilla.com:443 | |
| docker.io:443 | |
| auth.docker.io:443 | |
| production.cloudflare.docker.com:443 | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Perform Scan | |
| uses: ShiftLeftSecurity/scan-action@master | |
| env: | |
| WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SCAN_ANNOTATE_PR: true | |
| - name: Save the SCAN reports | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: sast-reports | |
| path: reports | |
| # -- ZAP Scan --------------------------------------------------------------- | |
| api-security: | |
| name: API Security | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| strategy: | |
| matrix: | |
| node: ['18'] | |
| mongodb: ['5.0'] | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| auth.docker.io:443 | |
| bit.ly:443 | |
| cfu.zaproxy.org:443 | |
| content-signature-2.cdn.mozilla.net:443 | |
| docker.io:443 | |
| firefox.settings.services.mozilla.com:443 | |
| github.com:443 | |
| location.services.mozilla.com:443 | |
| news.zaproxy.org:443 | |
| objects.githubusercontent.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| raw.githubusercontent.com:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| shavar.services.mozilla.com:443 | |
| snyk.io:443 | |
| tel.zaproxy.org:443 | |
| tracking-protection.cdn.mozilla.net:443 | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| check-latest: true | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Start MongoDB | |
| uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0 | |
| with: | |
| mongodb-version: ${{ matrix.mongodb }} | |
| mongodb-db: encryptionAPI | |
| - name: Start the app | |
| run: npm start > /dev/null & | |
| - name: Run ZAP API Scan | |
| uses: zaproxy/action-api-scan@6c29b04d78969bf586f2d4ea15c613d2dfb49d07 # tag=v0.2.0 | |
| with: | |
| target: http://localhost:3000/swagger/json | |
| format: openapi | |
| # -- PRE-RELEASE ------------------------------------------------------------ | |
| pre-release: | |
| name: Prepare Release | |
| runs-on: ubuntu-latest | |
| needs: | |
| - code-quality | |
| - code-security | |
| - api-security | |
| if: github.ref == 'refs/heads/master' | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Semantic Release | |
| uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # -- BUILD ------------------------------------------------------------------ | |
| build: | |
| name: Build & Release | |
| runs-on: ubuntu-latest | |
| needs: pre-release | |
| if: github.ref == 'refs/heads/master' | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 | |
| with: | |
| images: ${{ github.repository }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| type=raw,value=latest | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # tag=v2.1.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # tag=v2.2.1 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push | |
| uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} |