115 lines
3.4 KiB
YAML
115 lines
3.4 KiB
YAML
name: Scheduled Dependency Check
|
|
|
|
on:
|
|
schedule:
|
|
- cron: "29 3 * * 2"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
dependency-check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Detect project stack
|
|
id: detect
|
|
shell: bash
|
|
run: |
|
|
stacks=""
|
|
|
|
[ -f package.json ] && stacks="${stacks} node"
|
|
{ [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
|
|
[ -f Cargo.toml ] && stacks="${stacks} rust"
|
|
[ -f go.mod ] && stacks="${stacks} go"
|
|
{ [ -f Dockerfile ] || [ -f compose.yml ] || [ -f docker-compose.yml ]; } && stacks="${stacks} docker"
|
|
|
|
echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
|
|
echo "Detected stacks:${stacks:- generic}"
|
|
|
|
- name: Node dependency report
|
|
if: contains(steps.detect.outputs.stacks, 'node')
|
|
shell: bash
|
|
run: |
|
|
if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
|
|
npm ci
|
|
else
|
|
npm install --package-lock-only --ignore-scripts
|
|
fi
|
|
|
|
echo "Security audit:"
|
|
npm audit --omit=dev --audit-level=high
|
|
|
|
echo
|
|
echo "Outdated dependencies:"
|
|
npm outdated || true
|
|
|
|
- name: Python dependency report
|
|
if: contains(steps.detect.outputs.stacks, 'python')
|
|
shell: bash
|
|
run: |
|
|
python -m pip install --upgrade pip pip-audit
|
|
|
|
echo "Security audit:"
|
|
if [ -f requirements.txt ]; then
|
|
pip-audit -r requirements.txt
|
|
else
|
|
pip-audit
|
|
fi
|
|
|
|
echo
|
|
echo "Outdated packages:"
|
|
python -m pip list --outdated || true
|
|
|
|
- name: Rust dependency report
|
|
if: contains(steps.detect.outputs.stacks, 'rust')
|
|
shell: bash
|
|
run: |
|
|
cargo install cargo-audit cargo-outdated --locked
|
|
|
|
echo "Security audit:"
|
|
cargo audit
|
|
|
|
echo
|
|
echo "Outdated crates:"
|
|
cargo outdated || true
|
|
|
|
- name: Go dependency report
|
|
if: contains(steps.detect.outputs.stacks, 'go')
|
|
shell: bash
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
|
|
echo "Security audit:"
|
|
govulncheck ./...
|
|
|
|
echo
|
|
echo "Available dependency updates:"
|
|
go list -u -m all || true
|
|
|
|
- name: Docker base image report
|
|
if: contains(steps.detect.outputs.stacks, 'docker')
|
|
shell: bash
|
|
run: |
|
|
echo "Docker image references:"
|
|
grep -RInE --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=dist --exclude-dir=build '^\s*FROM\s+' Dockerfile* . 2>/dev/null || true
|
|
|
|
echo
|
|
echo "Review Docker base images manually for pinned versions, official sources, and current security status."
|
|
|
|
- name: Dependency guidance
|
|
shell: bash
|
|
run: |
|
|
cat <<'EOF'
|
|
Dependency check completed.
|
|
|
|
This workflow reports vulnerabilities and available updates. It does
|
|
not modify dependency files, create pull requests, or publish packages.
|
|
|
|
Recommended manual follow-up:
|
|
- update dependencies in a focused branch,
|
|
- run the project test/build commands,
|
|
- review lockfile diffs carefully,
|
|
- document intentionally held versions.
|
|
EOF
|