Files
apf_portal/.gitea/workflows/security-scheduled.yml
T
APF Portal Bot 6445e973f2
CI / commits (pull_request) Has been skipped
CI / perf (pull_request) Has been skipped
CI / check (pull_request) Successful in 59s
CI / scan (pull_request) Failing after 1m9s
CI / a11y (pull_request) Successful in 53s
chore(deps): update pnpm/action-setup action to v6
2026-05-05 23:15:58 +00:00

57 lines
1.8 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security
# scans plus a Lighthouse run against the production environment when
# its URL is configured. Complements the per-PR ci.yml workflow with
# broader / longer-running checks that don't fit the per-PR budget.
name: Security and perf — scheduled
on:
schedule:
# Mondays, 04:00 UTC — outside business hours; before the week starts.
- cron: '0 4 * * 1'
workflow_dispatch:
jobs:
full-tree-scan:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm audit
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
# gate filters by severity for speed; this run wants the full
# surface for the security feed).
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
ignore-unfixed: true
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
lighthouse-prod:
# Skipped silently if the prod URL hasn't been configured yet.
if: vars.LHCI_PROD_URL != ''
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
- run: pnpm exec lhci assert --config=./lighthouserc.js
- uses: actions/upload-artifact@v7
if: always()
with:
name: lighthouseci-prod-report
path: .lighthouseci/
retention-days: 90