[Snyk] Security upgrade @sentry/nextjs from 7.12.1 to 7.31.0 #4477
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audits | |
| on: | |
| push: | |
| pull_request: | |
| types: [opened, reopened, ready_for_review] | |
| pull_request_target: | |
| types: [review_requested] | |
| jobs: | |
| # @see https://github.com/marketplace/actions/skip-duplicate-actions | |
| pre_job: | |
| continue-on-error: true # Uncomment once integration is finished | |
| runs-on: ubuntu-latest | |
| # Map a step output to a job output | |
| outputs: | |
| should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
| steps: | |
| - id: skip_check | |
| uses: fkirc/skip-duplicate-actions@master | |
| with: | |
| # All of these options are optional, so you can remove them if you are happy with the defaults | |
| concurrent_skipping: 'never' # is the default [never, same_content, outdated_runs, always] | |
| skip_after_successful_duplicate: 'true' # is the default [true, false] | |
| cancel_others: true # default false | |
| # paths_ignore: '["**/README.md", "**/docs/**"]' | |
| # paths: '[]' | |
| # do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' # default ["workflow_dispatch", "schedule"] | |
| check-for-secrets: | |
| name: Various security checks | |
| needs: pre_job | |
| if: ${{ needs.pre_job.outputs.should_skip != 'true' }} | |
| runs-on: 'ubuntu-latest' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| # this does not really work | |
| - name: Run Yelp's detect-secrets | |
| uses: RobertFischer/[email protected] | |
| - name: Commit back .secrets.baseline (if it was missing) | |
| uses: stefanzweifel/git-auto-commit-action@v4 | |
| with: | |
| commit_message: 'build(detect-secrets): Commit the newly-generated .secrets.baseline file' | |
| branch: main | |
| file_pattern: .secrets.baseline | |
| - name: remove pnpm lock file | |
| run: 'rm ./pnpm-lock.yaml' | |
| shiftleft-scan: | |
| name: ShiftLeft Scan | |
| needs: pre_job | |
| if: ${{ needs.pre_job.outputs.should_skip != 'true' }} | |
| runs-on: 'ubuntu-latest' | |
| steps: | |
| # this seems to work but gets false positives | |
| - name: Perform Scan | |
| uses: ShiftLeftSecurity/scan-action@master | |
| with: | |
| output: reports | |
| # type: "credscan,python,nodejs,csharp,terraform,yaml,bash,depscan" | |
| env: | |
| WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # SCAN_ID: ${{ github.run_id }} # must be a valid guid | |
| - name: Upload scan reports again | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: shiftleft-scan-reports | |
| path: reports | |
| - name: Upload sarif scan report | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: reports | |
| # this seems to work but gets false positives | |
| # - name: Detect Secrets | |
| # uses: CorrelatedLabs/[email protected] |