From 61d798a1042acfc3fae1a6ffd3270c508a5c98af Mon Sep 17 00:00:00 2001 From: sickn33 Date: Tue, 31 Mar 2026 18:05:41 +0200 Subject: [PATCH] ci(security): add dependency review and actionlint --- .github/workflows/actionlint.yml | 33 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 21 ++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 .github/workflows/actionlint.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 00000000..e3e10ede --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,33 @@ +name: Actionlint + +on: + pull_request: + branches: ["main"] + paths: + - ".github/workflows/**" + push: + branches: ["main"] + paths: + - ".github/workflows/**" + workflow_dispatch: + +permissions: + contents: read + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Download actionlint + env: + ACTIONLINT_VERSION: "1.7.12" + run: | + set -euo pipefail + curl -fsSLO "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" + tar -xzf "actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" + + - name: Run actionlint + run: ./actionlint -color diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..e7151001 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,21 @@ +name: Dependency Review + +on: + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + fail-on-scopes: runtime