name: Security on: push: branches: [main] pull_request: branches: [main] schedule: # Run weekly to catch new vulnerabilities - cron: "0 8 * * 1" workflow_dispatch: # Allow manual triggering concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: gitleaks: name: Scan for Secrets runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for comprehensive scan - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout code uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: moderate npm-audit: name: NPM Audit runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 20 cache: pnpm - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run npm audit run: pnpm audit --audit-level=moderate continue-on-error: true # Don't fail build on vulnerabilities in deps - name: Run pnpm audit (strict) run: pnpm audit --prod --audit-level=high