From 8dbb173a25e65f2bb7b7485d6efcc1c43007bc66 Mon Sep 17 00:00:00 2001 From: Matthias Osswald Date: Mon, 16 Dec 2024 14:11:29 +0100 Subject: [PATCH] [INTERNAL] Audit CI: Enable check on main branch Also checking the main branch to be notified about vulnerabilities based on the released packages. Although the main branch is covered by GitHub security checks and dependabot updates, it could be missed that some vulnerabilities have been solved already but not released yet. Also removing the unnecessary "npm install". Audit CI checks based on the existing lockfile. --- .github/workflows/security-audit.yml | 7 ++----- audit-ci.jsonc | 6 ++++++ 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 audit-ci.jsonc diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index c668a46302..6a1754abcf 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - branch: ["v3"] # List of branches to run the security audit uppon + branch: ["main", "v3"] # List of branches to run the security audit on steps: - name: Checkout '${{ matrix.branch }}' branch @@ -18,8 +18,5 @@ jobs: with: ref: ${{ matrix.branch }} - - name: install dependencies - run: npm ci - - name: Use audit-ci - run: npx audit-ci@^6 --config ./audit-ci.jsonc + run: npx audit-ci@^7 --config ./audit-ci.jsonc diff --git a/audit-ci.jsonc b/audit-ci.jsonc new file mode 100644 index 0000000000..c2328a00b4 --- /dev/null +++ b/audit-ci.jsonc @@ -0,0 +1,6 @@ +{ + // $schema provides code completion hints to IDEs. + "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", + "low": true, + "allowlist": [] +}