Bump the npm_and_yarn group in /rest with 1 update #23428
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Security | |
| on: | |
| pull_request: | |
| branches: | |
| - "main" | |
| - "release/**" | |
| push: | |
| branches: | |
| - "main" | |
| - "release/**" | |
| tags: | |
| - "v*" | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| LC_ALL: C.UTF-8 | |
| jobs: | |
| dependencies: | |
| name: Dependency Check | |
| runs-on: hiero-mirror-node-linux-large | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install JDK | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4 | |
| with: | |
| gradle-home-cache-includes: | | |
| caches | |
| notifications | |
| jdks | |
| dependency-check-data | |
| # write a cache on all executions to ensure the NVD data stays up-to-date | |
| cache-read-only: false | |
| - name: Vulnerability check | |
| run: ./gradlew dependencyCheckAggregate | |
| timeout-minutes: 20 | |
| - name: Upload report | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| if: failure() | |
| with: | |
| name: dependency-check-report | |
| path: build/reports/dependency-check-report.html | |
| gosec: | |
| name: GoSec Code Scan | |
| env: | |
| GO111MODULE: on | |
| runs-on: hiero-mirror-node-linux-large | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| path: tmp | |
| - name: Copy rosetta to workspace root | |
| working-directory: . | |
| run: | | |
| cp -r tmp/rosetta/* . | |
| rm -fr tmp | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@6decf96c3d272d5a8bbdcf9fddb5789d0be16a8d # v2.22.4 | |
| with: | |
| args: ./... | |
| snyk: | |
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
| name: Snyk Open Source | |
| runs-on: hiero-mirror-node-linux-large | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Install JDK | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4 | |
| - name: Setup Snyk | |
| run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
| - name: Execute Snyk Test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: ./gradlew snyk-test | |
| - name: Publish Snyk Results | |
| continue-on-error: true | |
| if: ${{ !cancelled() && always() }} | |
| run: | | |
| report="build/reports/snyk-test" | |
| if [[ -f ${report}.json ]]; then | |
| snyk-to-html -i ${report}.json -o ${report}.html && \ | |
| html-to-markdown ${report}.html -o build/reports && \ | |
| cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
| fi | |
| snyk-code: | |
| if: github.event_name == 'push' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') | |
| name: Snyk Code | |
| runs-on: hiero-mirror-node-linux-large | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22 | |
| - name: Install JDK | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4 | |
| - name: Setup Snyk | |
| run: npm install -g snyk-to-html @wcj/html-to-markdown-cli | |
| - name: Execute Snyk Code Test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: ./gradlew snyk-code | |
| - name: Publish Snyk Results | |
| continue-on-error: true | |
| if: ${{ !cancelled() && always() }} | |
| run: | | |
| report="build/reports/snyk-code" | |
| if [[ -f ${report}.json ]]; then | |
| snyk-to-html -i ${report}.json -o ${report}.html && \ | |
| html-to-markdown ${report}.html -o build/reports && \ | |
| cat ${report}.html.md >> $GITHUB_STEP_SUMMARY | |
| fi | |
| spotless-check: | |
| name: Spotless Code Format Check | |
| runs-on: hiero-mirror-node-linux-medium | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install JDK | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: temurin | |
| java-version: 21 | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4 | |
| - name: Execute Gradle | |
| run: ./gradlew spotlessCheck | |
| - name: Fail on Unformatted Files | |
| if: failure() | |
| run: echo "Spotless check failed. Code formatting issues found. Please run './gradlew spotlessApply' locally and commit the changes." |