diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5e31cf..44255d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,23 @@ env: STABLE_RELEASE: "true" jobs: + security-scan: + name: Security Vulnerability Scan + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2 + with: + scan-args: |- + -r + --skip-git + --lockfile=package-lock.json + --lockfile=pnpm-lock.yaml + --lockfile=src-tauri/Cargo.lock + --lockfile=nodecar/package-lock.json + ./ + permissions: + security-events: write + contents: read + actions: read + lint-js: name: Lint JavaScript/TypeScript uses: ./.github/workflows/lint-js.yml @@ -22,7 +39,7 @@ jobs: secrets: inherit release: - needs: [lint-js, lint-rust] + needs: [security-scan, lint-js, lint-rust] permissions: contents: write strategy: diff --git a/.github/workflows/rolling-release.yml b/.github/workflows/rolling-release.yml index 7b4526c..20d4609 100644 --- a/.github/workflows/rolling-release.yml +++ b/.github/workflows/rolling-release.yml @@ -10,6 +10,23 @@ env: TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} jobs: + security-scan: + name: Security Vulnerability Scan + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2 + with: + scan-args: |- + -r + --skip-git + --lockfile=package-lock.json + --lockfile=pnpm-lock.yaml + --lockfile=src-tauri/Cargo.lock + --lockfile=nodecar/package-lock.json + ./ + permissions: + security-events: write + contents: read + actions: read + lint-js: name: Lint JavaScript/TypeScript uses: ./.github/workflows/lint-js.yml @@ -21,7 +38,7 @@ jobs: secrets: inherit rolling-release: - needs: [lint-js, lint-rust] + needs: [security-scan, lint-js, lint-rust] permissions: contents: write strategy: