This repository was archived by the owner on Apr 9, 2026. It is now read-only.
chore: add Dependabot security-only update config #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dependency vulnerability audit | |
| # Copy to .github/workflows/dependency-audit.yml | |
| # | |
| # Auto-detects ecosystems present in the repository and runs the appropriate | |
| # audit tool. Fails the build if any dependency has a known security advisory. | |
| # | |
| # Add "dependency-audit" as a required status check in branch protection. | |
| name: Dependency audit | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| detect: | |
| name: Detect ecosystems | |
| runs-on: ubuntu-latest | |
| outputs: | |
| npm: ${{ steps.check.outputs.npm }} | |
| gomod: ${{ steps.check.outputs.gomod }} | |
| cargo: ${{ steps.check.outputs.cargo }} | |
| pip: ${{ steps.check.outputs.pip }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Detect package ecosystems | |
| id: check | |
| run: | | |
| # npm | |
| if find . -name 'package-lock.json' -not -path '*/node_modules/*' | grep -q .; then | |
| echo "npm=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "npm=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Go modules | |
| if find . -name 'go.sum' | grep -q .; then | |
| echo "gomod=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "gomod=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Cargo | |
| if [ -f "Cargo.lock" ]; then | |
| echo "cargo=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "cargo=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| # Python | |
| if [ -f "pyproject.toml" ] || [ -f "requirements.txt" ]; then | |
| echo "pip=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "pip=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| audit-npm: | |
| name: npm audit | |
| needs: detect | |
| if: needs.detect.outputs.npm == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: "lts/*" | |
| - name: Audit npm dependencies | |
| run: npm audit --audit-level=moderate | |
| audit-go: | |
| name: govulncheck | |
| needs: detect | |
| if: needs.detect.outputs.gomod == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | |
| with: | |
| go-version: "stable" | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Audit Go dependencies | |
| run: | | |
| # Run govulncheck in each module directory | |
| find . -name 'go.mod' -exec dirname {} \; | while read -r dir; do | |
| echo "::group::govulncheck $dir" | |
| (cd "$dir" && govulncheck ./...) | |
| echo "::endgroup::" | |
| done | |
| audit-cargo: | |
| name: cargo audit | |
| needs: detect | |
| if: needs.detect.outputs.cargo == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit | |
| - name: Audit Cargo dependencies | |
| run: cargo audit | |
| audit-pip: | |
| name: pip-audit | |
| needs: detect | |
| if: needs.detect.outputs.pip == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Audit Python dependencies | |
| run: | | |
| if [ -f "pyproject.toml" ]; then | |
| pip-audit --require-hashes=false | |
| elif [ -f "requirements.txt" ]; then | |
| pip-audit -r requirements.txt | |
| fi |