Skip to content

Feat/security update #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Wagalidoom merged 4 commits into from
Jan 12, 2026
Merged

Feat/security update #828

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
096036e
Adding Codeowners file, also updating security of workflows
atifather Jan 7, 2026
15eee99
feat: add minimum release, trust policy and lock package version
Wagalidoom Jan 9, 2026
5cdde21
feat: add security audit workflow
Wagalidoom Jan 9, 2026
aa12282
fix: update packages
Wagalidoom Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @0xarmagan @gnosischain/bridge @gnosischain/coredevs-internal @gnosischain/devops @gnosischain/gnosis-devrel @gnosischain/gnosis-dapp-dev
2 changes: 1 addition & 1 deletion .github/workflows/create_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:

steps:
- name: Create Github Release
uses: actions/github-script@v6
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/dev_deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,15 @@ jobs:
run: |
for apt_file in `grep -lr microsoft /etc/apt/sources.list.d/`; do sudo rm $apt_file; done

- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- uses: actions/cache@v3
- uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

- name: Setup Node.js
uses: actions/setup-node@v2
uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2

- name: Install
run: |
Expand All @@ -59,7 +59,7 @@ jobs:
run: yarn build

- name: Configure AWS Development credentials
uses: aws-actions/configure-aws-credentials@v1
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
if: ( github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' )
with:
aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/prod_deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,20 @@ jobs:
for apt_file in `grep -lr microsoft /etc/apt/sources.list.d/`; do sudo rm $apt_file; done

# Ref: https://github.com/actions/checkout/issues/1471#issuecomment-1771231294
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Tag checkout
run: |
git fetch --prune --unshallow --tags
git checkout ${{ github.event.inputs.tag }}

- uses: actions/cache@v3
- uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

- name: Setup Node.js
uses: actions/setup-node@v2
uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2

- name: Install
run: |
Expand All @@ -56,7 +56,7 @@ jobs:
run: yarn build

- name: Configure AWS Production credentials
uses: aws-actions/configure-aws-credentials@v1
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1
with:
aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/security-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Security Audit

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
security-audit:
name: Dependency Security Audit
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0

- name: Enable Corepack
run: corepack enable

- name: Setup Node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'

- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Run security audit
run: pnpm audit --audit-level=high
4 changes: 2 additions & 2 deletions .github/workflows/slack_release_notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,14 @@ jobs:

- name: Extract commit
id: commit
uses: prompt/actions-commit-hash@v2
uses: prompt/actions-commit-hash@01d19a83c242e1851c9aa6cf9625092ecd095d09 # v2

- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%dT%H:%M:%S')"

- id: slack
uses: slackapi/[email protected]
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: "{\"username\":\"Releases\",\"icon_url\":\"https://avatars3.githubusercontent.com/u/134083290\",\"text\":\"${{ inputs.message }} - ${{ github.event.head_commit.message }}\",\"attachments\":[{\"text\":\"\",\"color\":\"${{ inputs.success == true && '#36a64f' || '#FF3131' }}\",\"author_name\":\"${{ inputs.service }}\",\"title\":\"\",\"fields\":[{\"title\":\"Environment\",\"short\":true,\"value\":\"`${{ inputs.environment }}`\"},{\"title\":\"Branch\",\"short\":true,\"value\":\"${{ steps.extract_branch.outputs.branch }}\"},{\"title\":\"Commit\",\"short\":true,\"value\":\"${{ steps.commit.outputs.short }}\"},{\"title\":\"Status\",\"short\":true,\"value\":\"${{ inputs.success == true && '🟢 SUCCEEDED' || '🔴 FAILED' }}\"},{\"title\":\"Time\",\"short\":true,\"value\":\"${{ steps.date.outputs.date }}\"}]}]}"
env:
Expand Down
3 changes: 3 additions & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
save-exact=true
minimum-release-age=3d
trust-policy=no-downgrade
Loading