Merge branch 'main' of https://github.com/poly1603/ldesign #26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| # 每周一早上 8 点自动运行,也可以手动触发 | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 1' # 每周一 UTC 00:00 (北京时间 08:00) | |
| workflow_dispatch: # 允许手动触发 | |
| push: | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - '**/package.json' | |
| - '**/pnpm-lock.yaml' | |
| jobs: | |
| dependency-audit: | |
| name: Dependency Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v2 | |
| with: | |
| version: 8 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run pnpm audit | |
| id: pnpm-audit | |
| run: | | |
| echo "## 📊 依赖安全审计报告" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| # 运行 pnpm audit 并保存结果 | |
| pnpm audit --json > audit-report.json || true | |
| # 解析并显示结果 | |
| if [ -f audit-report.json ]; then | |
| echo "### 审计结果" >> $GITHUB_STEP_SUMMARY | |
| echo '```json' >> $GITHUB_STEP_SUMMARY | |
| cat audit-report.json >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| # 运行审计检查(如果有高危或严重漏洞则失败) | |
| pnpm audit --audit-level=high | |
| continue-on-error: true | |
| - name: Upload audit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-audit-report | |
| path: audit-report.json | |
| retention-days: 30 | |
| license-check: | |
| name: License Compliance Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v2 | |
| with: | |
| version: 8 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Check licenses | |
| run: | | |
| echo "## 📜 许可证合规性检查" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| # 安装 license-checker | |
| pnpm add -g license-checker | |
| # 运行许可证检查 | |
| license-checker --json --out licenses.json || true | |
| # 检查是否有不兼容的许可证 | |
| echo "### 许可证摘要" >> $GITHUB_STEP_SUMMARY | |
| license-checker --summary >> $GITHUB_STEP_SUMMARY || true | |
| - name: Upload license report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: license-report | |
| path: licenses.json | |
| retention-days: 30 | |
| outdated-check: | |
| name: Outdated Dependencies Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v2 | |
| with: | |
| version: 8 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'pnpm' | |
| - name: Check outdated dependencies | |
| run: | | |
| echo "## 📦 过时依赖检查" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| # 检查过时的依赖 | |
| pnpm outdated --format json > outdated.json || true | |
| echo "### 过时依赖列表" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| pnpm outdated >> $GITHUB_STEP_SUMMARY || true | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| - name: Upload outdated report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: outdated-report | |
| path: outdated.json | |
| retention-days: 30 | |