fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
CI / check (push) Successful in 2m26s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 2m48s
CI / a11y (push) Successful in 1m32s
CI / perf (push) Successful in 3m51s

## Summary
First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them.

Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source.

- **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install.
- **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install.
- **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check.

The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs.

Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history).

## Test plan
- [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected).
- [ ] On `push` to main post-merge, scan stays green.
- [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan.

## After this PR
With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #51
This commit was merged in pull request #51.
This commit is contained in:
2026-05-08 00:18:56 +02:00
parent 0d27f835c3
commit a0e8e095d0
2 changed files with 27 additions and 4 deletions
+12 -2
View File
@@ -14,6 +14,13 @@ on:
jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
# so the working tree is not polluted with node_modules content
# (READMEs / fixtures of upstream packages contain demo
# secrets that gitleaks false-positives on by the hundreds).
# The deep-history gitleaks scan here doesn't strictly need it
# (history doesn't contain node_modules), but consistency with
# ci.yml keeps the two workflows reading the same way.
steps:
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
# shallow + working-tree-only; this scheduled job is where we
@@ -26,8 +33,6 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm audit
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed). Manual install + curl, same
@@ -69,6 +74,11 @@ jobs:
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm audit
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.