ci: hAWNG-281 apply yarn npm audit to workflow

This adds a new workflow 'Audit', which runs weekly on every Sunday to periodically audit the dependencies. It also inserts an audit step to Test workflow, so that every pull request is also audited against the potentially added dependencies.
hawtio · Nov 9, 2023 · 81a2943 · 81a2943
1 parent f18ad32
commit 81a2943
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,33 @@
+name: Audit
+
+on:
+  schedule:
+    # Run it every Sunday
+    - cron: '0 0 * * 0'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+      - name: Enable yarn v4
+        run: |
+          corepack enable
+          yarn -v
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+      - uses: actions/cache@v3
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Audit
+        run: yarn npm audit --all
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -37,6 +37,8 @@ jobs:
         with:
           node-version: ${{ matrix.node }}
           cache: 'yarn'
+      - name: Audit
+        run: yarn npm audit --all
       - name: Install
         run: yarn install
       - name: Build