ci: enable pnpm audit to check for critical vulnerabilities #931
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Deployment | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| continuous-integration: | |
| name: Continuous integration | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download code from GitHub | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Install pnpm package manager | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| - name: Set up Node.js version | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version-file: .nvmrc | |
| - name: Check for known security issues with npm packages | |
| run: | | |
| echo "Auditing npm dependencies before installing them. For more information, see: https://nldesignsystem.nl/pnpm-audit" | |
| pnpm audit --audit-level critical | |
| - name: Install dependencies specified in package.json | |
| run: | | |
| pnpm install --frozen-lockfile | |
| pnpm ls --recursive | |
| - name: Run the lint script in package.json scripts | |
| run: | | |
| pnpm run --if-present lint | |
| - name: Run the build script in package.json scripts | |
| env: | |
| GH_ISSUES_TOKEN: ${{ secrets.GH_ISSUES_TOKEN }} | |
| run: | | |
| pnpm run --if-present build | |
| - name: Run the test script in package.json scripts | |
| run: | | |
| pnpm run --if-present test | |
| publish-npm: | |
| name: Publish to npm | |
| runs-on: ubuntu-latest | |
| needs: continuous-integration | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Download code from GitHub | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Install pnpm package manager | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| - name: Set up Node.js version | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version-file: .nvmrc | |
| - name: Check for known security issues with npm packages | |
| run: | | |
| echo "Auditing npm dependencies before installing them. For more information, see: https://nldesignsystem.nl/pnpm-audit" | |
| pnpm audit --audit-level critical | |
| - name: Install dependencies as specified in package.json | |
| run: | | |
| pnpm install --frozen-lockfile | |
| pnpm ls --recursive | |
| - name: Run the build script in package.json scripts | |
| env: | |
| GH_ISSUES_TOKEN: ${{ secrets.GH_ISSUES_TOKEN }} | |
| run: pnpm run --if-present build | |
| - name: Publish to GitHub repository | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| GIT_AUTHOR_EMAIL: ${{ secrets.GIT_AUTHOR_EMAIL }} | |
| GIT_AUTHOR_NAME: "NL Design System" | |
| GIT_COMMITTER_EMAIL: ${{ secrets.GIT_COMMITTER_EMAIL }} | |
| GIT_COMMITTER_NAME: "NL Design System" | |
| run: | | |
| git push --set-upstream origin HEAD | |
| pnpm run release | |
| - name: Publish to npm repository | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: | | |
| pnpm config set "//registry.npmjs.org/:_authToken" "${NPM_TOKEN}" | |
| pnpm run publish | |
| pnpm config delete "//registry.npmjs.org/:_authToken" |