From dac6ab3a15379d0486fa08822f6ed2c55dc3c7be Mon Sep 17 00:00:00 2001 From: Avnyr Date: Sun, 4 Jan 2026 23:43:42 +0100 Subject: [PATCH] Remove CVE-check workflow; add separate lint workflows for frontend and backend --- .gitea/workflows/cve-check.yml | 118 ----------------------------- .gitea/workflows/lint-backend.yml | 25 ++++++ .gitea/workflows/lint-frontend.yml | 25 ++++++ 3 files changed, 50 insertions(+), 118 deletions(-) delete mode 100644 .gitea/workflows/cve-check.yml create mode 100644 .gitea/workflows/lint-backend.yml create mode 100644 .gitea/workflows/lint-frontend.yml diff --git a/.gitea/workflows/cve-check.yml b/.gitea/workflows/cve-check.yml deleted file mode 100644 index 776625b..0000000 --- a/.gitea/workflows/cve-check.yml +++ /dev/null @@ -1,118 +0,0 @@ - -name: CVE Security Check - Trivy + OWASP - -on: - schedule: - - cron: '0 2 * * *' - push: - paths: - - 'package.json' - - 'pnpm-lock.yaml' - - '.gitea/workflows/cve-check.yml' - pull_request: - paths: - - 'package.json' - - 'pnpm-lock.yaml' - -jobs: - trivy-scan: - name: Trivy Vulnerability Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'HIGH,CRITICAL' - - - name: Display Trivy results - run: | - echo "## 🔍 Trivy Scan Results" >> $GITHUB_STEP_SUMMARY - if [ -f trivy-results.sarif ]; then - echo "✅ Scan complété" >> $GITHUB_STEP_SUMMARY - fi - - - name: Upload Trivy SARIF to artifact - uses: actions/upload-artifact@v3 - if: always() - with: - name: trivy-results - path: trivy-results.sarif - - owasp-dependency-check: - name: OWASP Dependency-Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run OWASP Dependency-Check - uses: dependency-check/Dependency-Check_Action@main - with: - project: 'memegoat' - path: '.' - format: 'JSON' - args: > - --enableExperimental - --suppression ./dependency-check-suppressions.xml - - - name: Generate OWASP HTML Report - run: | - if [ -d "reports" ]; then - echo "📊 Rapport OWASP généré" - fi - - - name: Upload OWASP reports - uses: actions/upload-artifact@v3 - if: always() - with: - name: dependency-check-reports - path: reports/ - - - name: Parse OWASP results - run: | - if [ -f reports/dependency-check-report.json ]; then - echo "## 📋 OWASP Dependency-Check Results" >> $GITHUB_STEP_SUMMARY - CRITICAL=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="CRITICAL")] | length' reports/dependency-check-report.json || echo 0) - HIGH=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="HIGH")] | length' reports/dependency-check-report.json || echo 0) - MEDIUM=$(jq '[.reportSchema.vulnerabilities[] | select(.severity=="MEDIUM")] | length' reports/dependency-check-report.json || echo 0) - echo "" >> $GITHUB_STEP_SUMMARY - echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY - echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY - echo "| 🔴 CRITICAL | $CRITICAL |" >> $GITHUB_STEP_SUMMARY - echo "| 🟠 HIGH | $HIGH |" >> $GITHUB_STEP_SUMMARY - echo "| 🟡 MEDIUM | $MEDIUM |" >> $GITHUB_STEP_SUMMARY - - if [ "$CRITICAL" -gt 0 ]; then - echo "" >> $GITHUB_STEP_SUMMARY - echo "⚠️ **Vulnérabilités CRITICAL détectées !**" >> $GITHUB_STEP_SUMMARY - exit 1 - fi - fi - - security-summary: - name: Security Summary - runs-on: ubuntu-latest - needs: [trivy-scan, owasp-dependency-check] - if: always() - steps: - - uses: actions/download-artifact@v3 - - - name: Generate final report - run: | - echo "## 🔐 Security Audit Complete" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "✅ Trivy scan - Completed" >> $GITHUB_STEP_SUMMARY - echo "✅ OWASP Dependency-Check - Completed" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "📁 [Télécharger les rapports détaillés](artifacts)" >> $GITHUB_STEP_SUMMARY - - - name: Fail if critical vulnerabilities found - if: failure() - run: | - echo "🚨 Des vulnérabilités CRITICAL ont été détectées" - exit 1 \ No newline at end of file diff --git a/.gitea/workflows/lint-backend.yml b/.gitea/workflows/lint-backend.yml new file mode 100644 index 0000000..ea7f94a --- /dev/null +++ b/.gitea/workflows/lint-backend.yml @@ -0,0 +1,25 @@ +name: Backend Lint +on: + push: + paths: + - 'backend/**' + pull_request: + paths: + - 'backend/**' + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: pnpm/action-setup@v4 + with: + version: 9 + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: 'pnpm' + - name: Install dependencies + run: pnpm install + - name: Run lint + run: pnpm -F @memegoat/backend lint diff --git a/.gitea/workflows/lint-frontend.yml b/.gitea/workflows/lint-frontend.yml new file mode 100644 index 0000000..ec20666 --- /dev/null +++ b/.gitea/workflows/lint-frontend.yml @@ -0,0 +1,25 @@ +name: Frontend Lint +on: + push: + paths: + - 'frontend/**' + pull_request: + paths: + - 'frontend/**' + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: pnpm/action-setup@v4 + with: + version: 9 + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: 'pnpm' + - name: Install dependencies + run: pnpm install + - name: Run lint + run: pnpm -F @memegoat/frontend lint