57 lines
1.8 KiB
YAML
57 lines
1.8 KiB
YAML
# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security
|
|
# scans plus a Lighthouse run against the production environment when
|
|
# its URL is configured. Complements the per-PR ci.yml workflow with
|
|
# broader / longer-running checks that don't fit the per-PR budget.
|
|
|
|
name: Security and perf — scheduled
|
|
|
|
on:
|
|
schedule:
|
|
# Mondays, 04:00 UTC — outside business hours; before the week starts.
|
|
- cron: '0 4 * * 1'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
full-tree-scan:
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm audit
|
|
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
|
# gate filters by severity for speed; this run wants the full
|
|
# surface for the security feed).
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
ignore-unfixed: true
|
|
- uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
lighthouse-prod:
|
|
# Skipped silently if the prod URL hasn't been configured yet.
|
|
if: vars.LHCI_PROD_URL != ''
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
|
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
|
- uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: lighthouseci-prod-report
|
|
path: .lighthouseci/
|
|
retention-days: 90
|