chore: add GH workflows security, static checks, dependabot (#19)

peppescg · web-flow · commit dc145cf73261 · 2025-01-02T11:53:05.000+01:00
* chore: add GH static checks workflows and dependabot

* chore: add husky precommit

* chore: add husky, lint-staged precommit

* chore: add security workflow checks

* fix: husky permission

* fix: husky config
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
@@ -0,0 +1,24 @@
+name: 'Setup Action'
+description: 'Checkouts the repo, sets up node, and installs dependencies'
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout Repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+    - name: Set up Node.js
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v2
+      with:
+        node-version: 'lts/*'
+
+    - name: Cache dependencies
+      id: cache
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+      with:
+        path: ./node_modules
+        key: modules-${{ hashFiles('package-lock.json') }}
+
+    - name: Install dependencies
+      if: steps.cache.outputs.cache-hit != 'true'
+      run: 'npm ci'
+      shell: bash
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,18 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: 'npm' # See documentation for possible values
+    directory: '/' # Location of package manifests
+    schedule:
+      interval: 'weekly'
+      day: 'saturday'
+    versioning-strategy: increase
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'saturday'
diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
@@ -0,0 +1,35 @@
+name: Security Checks
+on:
+  workflow_call:
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          exit-code: '1'
+          ignore-unfixed: 'true'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+  npm-audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v2
+        with:
+          node-version: 'lts/*'
+
+      - name: Run npm audit
+        run: npm audit --omit=dev --audit-level=moderate
diff --git a/.github/workflows/_static-checks.yml b/.github/workflows/_static-checks.yml
@@ -0,0 +1,44 @@
+name: Static Checks
+on:
+  workflow_call:
+jobs:
+  lint:
+    name: ESLint Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run linter
+        run: npm run lint
+
+  tsc:
+    name: TS Types Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run Tsc
+        run: npm run type-check
+
+  build:
+    name: Build App Check
+    runs-on: ubuntu-latest
+    env:
+      NODE_OPTIONS: "--max_old_space_size=4096"
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Build App
+        run: npm run build
diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
@@ -0,0 +1,13 @@
+name: On PR
+permissions: write-all
+on:
+  pull_request:
+jobs:
+  security:
+    name: Security Checks
+    uses: ./.github/workflows/_security-checks.yml
+
+  static-checks:
+    name: Static Checks
+    uses: ./.github/workflows/_static-checks.yml
+    secrets: inherit
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1 @@
+npx lint-staged
diff --git a/lint-staged.config.mjs b/lint-staged.config.mjs
@@ -0,0 +1,10 @@
+/**
+ * @type {import("lint-staged").Config}
+ */
+export default {
+  "**/*.{js,jsx,ts,tsx,mjs,cjs}": [
+    "npx prettier --write",
+    "npx eslint --fix",
+    "bash -c tsc -p ./tsconfig.app.json --noEmit",
+  ],
+};
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
