refactor(chatbot): modularize assistant engine and harden moderation β¦ #262
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| branches: [main, master, develop] | |
| paths-ignore: | |
| - '**.md' | |
| - 'issue/**' | |
| pull_request: | |
| branches: [main, master, develop] | |
| paths-ignore: | |
| - '**.md' | |
| - 'issue/**' | |
| merge_group: | |
| types: [checks_requested] | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| defaults: | |
| run: | |
| working-directory: ./SortVision | |
| jobs: | |
| security-audit: | |
| name: Security Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Setup SortVision | |
| uses: ./.github/actions/setup-sortvision | |
| with: | |
| node-version: '24' | |
| # Fails the job on known high/critical vulnerabilities in production dependencies. | |
| - name: Audit production dependencies (high/critical) | |
| run: pnpm audit --production --audit-level=high | |
| - name: Write audit JSON for artifact | |
| if: always() | |
| run: (pnpm audit --production --json > audit-results.json) || echo '{}' > audit-results.json | |
| - name: Check for secrets | |
| uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 | |
| with: | |
| extra_args: --only-verified | |
| - name: Upload audit results | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: security-audit-results | |
| path: SortVision/audit-results.json | |
| retention-days: 90 | |
| - name: Generate security summary | |
| if: always() | |
| run: | | |
| echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "pnpm audit: fails on **high** and **critical** production issues." >> $GITHUB_STEP_SUMMARY | |
| echo "Moderate/low advisories: review \`pnpm audit\` locally or Dependabot alerts." >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Scan completed at $(date -u +%Y-%m-%dT%H:%MZ)" >> $GITHUB_STEP_SUMMARY | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| fail-on-severity: moderate | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| head-ref: ${{ github.event.pull_request.head.sha }} |