From ce445e05c0c84e19d40137ecd04216e33b580ec9 Mon Sep 17 00:00:00 2001 From: CoderDeltaLan Date: Mon, 22 Sep 2025 08:11:53 +0100 Subject: [PATCH] ci: stabilize CodeQL and supply-chain; fix ESLint; remove invalid devDependency --- .github/workflows/codeql.yml | 32 +++++++----- .github/workflows/slsa.yml | 16 +++--- .github/workflows/supply-chain.yml | 81 +++++++++++------------------- fuzz/parse-json.fuzz.js | 2 + package.json | 3 +- 5 files changed, 61 insertions(+), 73 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 38ed62d..85f29d0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,29 +1,37 @@ name: CodeQL Analyze + on: push: branches: ["main"] pull_request: - branches: ["main"] schedule: - - cron: "23 5 * * 1" + - cron: "17 3 * * 2" workflow_dispatch: permissions: contents: read + actions: read security-events: write +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + jobs: analyze: - name: codeql + name: CodeQL runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: ["javascript", "python"] + steps: - - uses: actions/checkout@v5 - - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5 + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 with: - languages: ${{ matrix.language }} - - uses: github/codeql-action/autobuild@v3 - - uses: github/codeql-action@0337c4c06e7e00d0d6e64396c13b9dc18dd6d8c5 + # Limpiamos fallos por build: JS/TS y Python no requieren autobuild + languages: python,javascript-typescript + build-mode: none + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml index c82a3e3..30ec7bb 100644 --- a/.github/workflows/slsa.yml +++ b/.github/workflows/slsa.yml @@ -1,15 +1,15 @@ name: SLSA provenance on: - release: - types: [published] + release: { types: [published] } + workflow_dispatch: permissions: contents: write id-token: write jobs: provenance: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main - with: - base64-subjects: "${{ github.sha }}" + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + contents: write + id-token: write + with: + base64-subjects: "${{ github.sha }}" diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml index 6e58af0..039bb30 100644 --- a/.github/workflows/supply-chain.yml +++ b/.github/workflows/supply-chain.yml @@ -1,68 +1,47 @@ name: supply-chain - on: - pull_request: push: - branches: [main] + branches: ["main"] + pull_request: schedule: - - cron: "0 4 * * 1" + - cron: "23 4 * * 1" workflow_dispatch: - permissions: contents: read - +concurrency: + group: supply-${{ github.ref }} + cancel-in-progress: true jobs: - dependency-review: - # No debe romper fuera de PR - permissions: - contents: read - pull-requests: read + sbom: + name: Generate SBOM (CycloneDX) runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - with: { fetch-depth: 2 } - - name: Dependency review - id: dr - uses: actions/dependency-review-action@6fad41793215e16e31faa120c584d320a07b88de + - uses: actions/checkout@v4 + - uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.cdx.json + - uses: actions/upload-artifact@v4 with: - fail-on-severity: high - # Clave: fuera de PR, no romper el job aunque detecte problemas - continue-on-error: ${{ github.event_name != 'pull_request' }} - - scorecards: + name: sbom-cyclonedx + path: sbom.cdx.json + vuln-gate: + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == false }} + name: Vulnerability scan (PR gate) + runs-on: ubuntu-latest permissions: - actions: read contents: read - id-token: write security-events: write - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - with: { fetch-depth: 0 } - - name: Run Scorecard - id: scorecard - uses: ossf/scorecard-action@43e475b79a8bd5217334edc08879005b2229d79a.3.3 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - - sbom: - permissions: { contents: read } - runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 - - name: Generate SBOM (SPDX) - uses: anchore/sbom-action@c73dd3f93ab542b7902df62a6ee5ad763179fa7b.17.6 + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@v0.33.1 with: - format: spdx-json - output-file: sbom.spdx.json - - name: Upload SBOM artifact - uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 + scan-type: fs + format: sarif + output: trivy.sarif + ignore-unfixed: true + severity: CRITICAL + exit-code: "1" + - uses: github/codeql-action/upload-sarif@v3 with: - name: sbom-spdx - path: sbom.spdx.json + sarif_file: trivy.sarif diff --git a/fuzz/parse-json.fuzz.js b/fuzz/parse-json.fuzz.js index d949ade..85c305f 100644 --- a/fuzz/parse-json.fuzz.js +++ b/fuzz/parse-json.fuzz.js @@ -1,3 +1,5 @@ +/* global module */ +/* eslint-env node */ "use strict"; module.exports.fuzz = (data) => { diff --git a/package.json b/package.json index 16a131b..a51255a 100644 --- a/package.json +++ b/package.json @@ -20,8 +20,7 @@ "eslint": "^9.0.0", "prettier": "^3.0.0", "typescript": "^5.9.2", - "typescript-eslint": "^8.0.0", - "jazzer.js": "^1.0.0" + "typescript-eslint": "^8.0.0" }, "publishConfig": { "registry": "https://npm.pkg.github.com"