diff --git a/.github/workflows/web-deploy-one.yml b/.github/workflows/web-deploy-one.yml index fd24af13e3..0b2dbe7539 100644 --- a/.github/workflows/web-deploy-one.yml +++ b/.github/workflows/web-deploy-one.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -38,7 +40,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build ${{ inputs.app }} run: yarn build:${{ inputs.app }} diff --git a/.github/workflows/web-deploy-preview.yml b/.github/workflows/web-deploy-preview.yml index 52d131179c..73dceeb54e 100644 --- a/.github/workflows/web-deploy-preview.yml +++ b/.github/workflows/web-deploy-preview.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -38,7 +40,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build ${{ inputs.app }} run: yarn build:${{ inputs.app }} diff --git a/.github/workflows/web-deploy-staging.yml b/.github/workflows/web-deploy-staging.yml index e0652c36b1..659b656e59 100644 --- a/.github/workflows/web-deploy-staging.yml +++ b/.github/workflows/web-deploy-staging.yml @@ -37,6 +37,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ steps.select-branch.outputs.branch }} + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -46,7 +47,7 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile - name: Build photos run: yarn build:photos diff --git a/.github/workflows/web-deploy.yml b/.github/workflows/web-deploy.yml index ee6e1d6e7b..0e586ba073 100644 --- a/.github/workflows/web-deploy.yml +++ b/.github/workflows/web-deploy.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -42,7 +44,15 @@ jobs: cache-dependency-path: "web/yarn.lock" - name: Install dependencies - run: yarn install + run: yarn install --frozen-lockfile + + - name: Audit dependencies + run: | + yarn audit --level critical || exit_code=$? + if [[ $exit_code -ge 16 ]]; then + echo "::error::Yarn audit found critical issues" + exit 1 + fi - name: Build photos run: yarn build:photos diff --git a/.github/workflows/web-lint.yml b/.github/workflows/web-lint.yml index 517022997d..8bab3f4e77 100644 --- a/.github/workflows/web-lint.yml +++ b/.github/workflows/web-lint.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup node and enable yarn caching uses: actions/setup-node@v4 @@ -32,6 +34,14 @@ jobs: cache: "yarn" cache-dependency-path: "web/yarn.lock" - - run: yarn install + - run: yarn install --frozen-lockfile - run: yarn lint + + - name: Audit dependencies + run: | + yarn audit --level critical || exit_code=$? + if [[ $exit_code -ge 16 ]]; then + echo "::error::Yarn audit found critical issues" + exit 1 + fi