Skip to content

chore(deps-dev): bump vite from 5.4.10 to 5.4.11 (#71) #217

chore(deps-dev): bump vite from 5.4.10 to 5.4.11 (#71)

chore(deps-dev): bump vite from 5.4.10 to 5.4.11 (#71) #217

Workflow file for this run

name: Pipeline
on:
# Run on any branch receiving a push
push:
# Allow manual trigger of the workflow
workflow_dispatch:
jobs:
# Talisman Secrets Check
talisman-check:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets in incoming commits with Talisman
uses: digitalservicebund/talisman-secrets-scan-action@9a4cb85589e29a62b4546eb566119753a5680aeb
# Trivy Vulnerability Scan
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # upload-sarif
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: "fs"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Verify SARIF file exists
run: ls -la trivy-results.sarif
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ always() && github.ref == 'refs/heads/main' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
# Formatting, code quality and types check
check-style:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Check formatting
run: npm run prettier:check
- name: Check code style
run: npm run eslint:check
- name: Check types
run: npm run typecheck
# Automated tests
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
# Deploy Storybook to GitHub Pages
build-and-deploy-storybook:
if: ${{ github.ref == 'refs/heads/main' }}
needs:
- talisman-check
- trivy-scan
- check-style
- test
permissions:
contents: read
pages: write
id-token: write
concurrency:
group: "pages"
cancel-in-progress: true
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ./.node-version
cache: npm
cache-dependency-path: ./package-lock.json
- name: Cache
uses: actions/cache@v4
id: cache-npm
with:
path: /home/runner/.npm
key: npm-cache-${{ hashFiles('./package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Build Storybook
run: npm run build:storybook
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload Storybook artifact
uses: actions/upload-pages-artifact@v3
with:
path: ./storybook-static
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4