# Security scans migrated from .gitea/workflows/scan.yml. # # Pinned first-party actions (bump tag and SHA together when upgrading): # actions/checkout@v6.0.1 8e8c483db84b4bee98b60c0593521ed34d9990e8 # actions/setup-python@v6.2.0 a309ff8b426b58ec0e2a45f0f869d46889d02405 # actions/setup-node@v6.1.0 395ad3262231945c25e8478fd5baf05154b1d79f name: Security scans on: schedule: - cron: "30 12 * * 1" push: branches: - master - dev workflow_dispatch: permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true PYTHON_VERSION: "3.14" NODE_VERSION: "24" POETRY_VERSION: "2.3.4" PNPM_VERSION: "10.32.1" jobs: scan: runs-on: ubuntu-latest timeout-minutes: 45 permissions: contents: read steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install Poetry (PyPI pin) env: POETRY_VERSION: ${{ env.POETRY_VERSION }} run: bash scripts/ci/github-install-poetry.sh - name: Set up Node uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version: ${{ env.NODE_VERSION }} - name: Enable pnpm (corepack) run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate - name: Install dependencies run: bash scripts/ci/github-install-deps.sh - name: pip-audit run: | poetry run pip install --upgrade "pip>=26.0" pip-audit poetry run pip-audit - name: Setup Trivy run: sh scripts/ci/setup-trivy.sh - name: Trivy filesystem scan (dependencies) run: sh scripts/ci/trivy-fs-scan.sh - name: Trivy Dockerfile misconfiguration run: trivy config --exit-code 1 Dockerfile