diff options
author | Nick Schonning <nschonni@gmail.com> | 2023-07-11 09:23:57 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-07-11 15:23:57 +0200 |
commit | e11032585b68dde7119c667c3ef7c2438f285c17 (patch) | |
tree | 94576e6c5ec3155dea6f213b68a787a74fb96f86 /.github | |
parent | 3aa153694e261c59d9fdf8042f69898614269e3e (diff) |
Run brakeman in GitHub Actions (#23713)
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/bundler-audit.yml | 40 | ||||
-rw-r--r-- | .github/workflows/lint-ruby.yml | 9 |
2 files changed, 45 insertions, 4 deletions
diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml new file mode 100644 index 00000000000..6c4869f12d4 --- /dev/null +++ b/.github/workflows/bundler-audit.yml @@ -0,0 +1,40 @@ +name: Bundler Audit +on: + push: + branches-ignore: + - 'dependabot/**' + paths: + - 'Gemfile*' + - '.ruby-version' + - '.bundler-audit.yml' + - '.github/workflows/bundler-audit.yml' + + pull_request: + paths: + - 'Gemfile*' + - '.ruby-version' + - '.bundler-audit.yml' + - '.github/workflows/bundler-audit.yml' + + schedule: + - cron: '0 5 * * 1' + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - name: Clone repository + uses: actions/checkout@v3 + + - name: Install native Ruby dependencies + run: sudo apt-get install -y libicu-dev libidn11-dev + + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: .ruby-version + bundler-cache: true + + - name: Run bundler-audit + run: bundle exec bundler-audit diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml index 0395c8639f7..c898b263253 100644 --- a/.github/workflows/lint-ruby.yml +++ b/.github/workflows/lint-ruby.yml @@ -8,7 +8,7 @@ on: - 'Gemfile*' - '.rubocop*.yml' - '.ruby-version' - - '.bundler-audit.yml' + - 'config/brakeman.ignore' - '**/*.rb' - '**/*.rake' - '.github/workflows/lint-ruby.yml' @@ -18,7 +18,7 @@ on: - 'Gemfile*' - '.rubocop*.yml' - '.ruby-version' - - '.bundler-audit.yml' + - 'config/brakeman.ignore' - '**/*.rb' - '**/*.rake' - '.github/workflows/lint-ruby.yml' @@ -46,5 +46,6 @@ jobs: - name: Run rubocop run: bundle exec rubocop - - name: Run bundler-audit - run: bundle exec bundler-audit + - name: Run brakeman + if: always() # Run both checks, even if the first failed + run: bundle exec brakeman |