chore(deps-dev): bump hono from 4.12.5 to 4.12.16 in /r2-explorer #591
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| validate-root-format-lint: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| env: | |
| CI_STRICT: "1" | |
| name: validate (root-format-lint) | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@v21 | |
| with: | |
| determinate: false | |
| extra-conf: | | |
| experimental-features = nix-command flakes | |
| require-sigs = true | |
| extra-substituters = https://nix-r2-cloudflare-flake.cachix.org https://wrangler.cachix.org | |
| extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-r2-cloudflare-flake.cachix.org-1:pmYucG85iBm6Y+8TxNwqU5j/lmY1UBReZxIXslMFntw= wrangler.cachix.org-1:N/FIcG2qBQcolSpklb2IMDbsfjZKWg+ctxx0mSMXdSs= | |
| - name: Configure Cachix | |
| uses: cachix/cachix-action@v16 | |
| with: | |
| name: nix-r2-cloudflare-flake | |
| extraPullNames: wrangler | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| skipPush: ${{ !(github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.CACHIX_AUTH_TOKEN != '') }} | |
| - name: Validate target | |
| run: ./scripts/ci/validate.sh --target root-format-lint | |
| validate-root-flake-template-docs: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| env: | |
| CI_STRICT: "1" | |
| name: validate (root-flake-template-docs) | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@v21 | |
| with: | |
| determinate: false | |
| extra-conf: | | |
| experimental-features = nix-command flakes | |
| require-sigs = true | |
| extra-substituters = https://nix-r2-cloudflare-flake.cachix.org https://wrangler.cachix.org | |
| extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-r2-cloudflare-flake.cachix.org-1:pmYucG85iBm6Y+8TxNwqU5j/lmY1UBReZxIXslMFntw= wrangler.cachix.org-1:N/FIcG2qBQcolSpklb2IMDbsfjZKWg+ctxx0mSMXdSs= | |
| - name: Configure Cachix | |
| uses: cachix/cachix-action@v16 | |
| with: | |
| name: nix-r2-cloudflare-flake | |
| extraPullNames: wrangler | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| skipPush: ${{ !(github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.CACHIX_AUTH_TOKEN != '') }} | |
| - name: Validate target | |
| run: ./scripts/ci/validate.sh --target root-flake-template-docs | |
| validate-root-cli-module-eval: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| env: | |
| CI_STRICT: "1" | |
| name: validate (root-cli-module-eval) | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@v21 | |
| with: | |
| determinate: false | |
| extra-conf: | | |
| experimental-features = nix-command flakes | |
| require-sigs = true | |
| extra-substituters = https://nix-r2-cloudflare-flake.cachix.org https://wrangler.cachix.org | |
| extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-r2-cloudflare-flake.cachix.org-1:pmYucG85iBm6Y+8TxNwqU5j/lmY1UBReZxIXslMFntw= wrangler.cachix.org-1:N/FIcG2qBQcolSpklb2IMDbsfjZKWg+ctxx0mSMXdSs= | |
| - name: Configure Cachix | |
| uses: cachix/cachix-action@v16 | |
| with: | |
| name: nix-r2-cloudflare-flake | |
| extraPullNames: wrangler | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| skipPush: ${{ !(github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.CACHIX_AUTH_TOKEN != '') }} | |
| - name: Validate target | |
| run: ./scripts/ci/validate.sh --target root-cli-module-eval | |
| validate-worker-typecheck-test: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| env: | |
| CI_STRICT: "1" | |
| name: validate (worker-typecheck-test) | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@v21 | |
| with: | |
| determinate: false | |
| extra-conf: | | |
| experimental-features = nix-command flakes | |
| require-sigs = true | |
| extra-substituters = https://nix-r2-cloudflare-flake.cachix.org https://wrangler.cachix.org | |
| extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-r2-cloudflare-flake.cachix.org-1:pmYucG85iBm6Y+8TxNwqU5j/lmY1UBReZxIXslMFntw= wrangler.cachix.org-1:N/FIcG2qBQcolSpklb2IMDbsfjZKWg+ctxx0mSMXdSs= | |
| - name: Configure Cachix | |
| uses: cachix/cachix-action@v16 | |
| with: | |
| name: nix-r2-cloudflare-flake | |
| extraPullNames: wrangler | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| skipPush: ${{ !(github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.CACHIX_AUTH_TOKEN != '') }} | |
| - name: Validate target | |
| run: ./scripts/ci/validate.sh --target worker-typecheck-test | |
| security-dependency-audit: | |
| name: security-dependency-audit | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@v21 | |
| with: | |
| determinate: false | |
| extra-conf: | | |
| experimental-features = nix-command flakes | |
| require-sigs = true | |
| extra-substituters = https://nix-r2-cloudflare-flake.cachix.org https://wrangler.cachix.org | |
| extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-r2-cloudflare-flake.cachix.org-1:pmYucG85iBm6Y+8TxNwqU5j/lmY1UBReZxIXslMFntw= wrangler.cachix.org-1:N/FIcG2qBQcolSpklb2IMDbsfjZKWg+ctxx0mSMXdSs= | |
| - name: Configure Cachix | |
| uses: cachix/cachix-action@v16 | |
| with: | |
| name: nix-r2-cloudflare-flake | |
| extraPullNames: wrangler | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| skipPush: ${{ !(github.event_name == 'push' && github.ref == 'refs/heads/main' && secrets.CACHIX_AUTH_TOKEN != '') }} | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 20 | |
| cache: pnpm | |
| cache-dependency-path: r2-explorer/pnpm-lock.yaml | |
| - name: Audit flake inputs (root + worker) | |
| run: | | |
| set -euo pipefail | |
| run_flake_checker() { | |
| local lock_path="$1" | |
| for attempt in 1 2 3; do | |
| if nix --accept-flake-config run nixpkgs#flake-checker -- \ | |
| --no-telemetry \ | |
| --fail-mode \ | |
| --check-outdated \ | |
| --check-owner \ | |
| --check-supported \ | |
| "$lock_path"; then | |
| return 0 | |
| fi | |
| if [[ "$attempt" -lt 3 ]]; then | |
| echo "flake-checker attempt ${attempt} failed for ${lock_path}; retrying..." >&2 | |
| sleep 5 | |
| fi | |
| done | |
| return 1 | |
| } | |
| run_flake_checker flake.lock | |
| run_flake_checker r2-explorer/flake.lock | |
| - name: Install Worker dependencies | |
| working-directory: r2-explorer | |
| run: pnpm install --frozen-lockfile | |
| - name: Audit Worker dependencies (high+critical) | |
| working-directory: r2-explorer | |
| run: pnpm audit --audit-level=high | |
| - name: Build root package for closure scan | |
| run: nix --accept-flake-config build .#r2 | |
| - name: Scan Nix closure with vulnix | |
| run: | | |
| set -euo pipefail | |
| out_path="$(nix --accept-flake-config path-info .#r2)" | |
| for attempt in 1 2 3; do | |
| if nix --accept-flake-config run nixpkgs#vulnix -- -C "$out_path" -w ./scripts/ci/vulnix-whitelist.toml; then | |
| exit 0 | |
| fi | |
| if [[ "$attempt" -lt 3 ]]; then | |
| echo "vulnix attempt ${attempt} failed; retrying..." >&2 | |
| sleep 5 | |
| fi | |
| done | |
| echo "vulnix scan failed after retries." >&2 | |
| exit 1 | |
| security-sensitive-change-policy: | |
| name: security-sensitive-change-policy | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| concurrency: | |
| group: ci-security-sensitive-change-policy-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Detect sensitive changes | |
| id: detect | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const sensitivePatterns = [ | |
| /^\.github\/workflows\/.*/, | |
| /(^|\/)flake\.lock$/, | |
| /(^|\/)pnpm-lock\.yaml$/ | |
| ]; | |
| if (context.eventName !== "pull_request") { | |
| core.info("Sensitive-change policy is enforced on pull_request events."); | |
| core.setOutput("sensitive_changed", "false"); | |
| core.setOutput("matched_files", ""); | |
| return; | |
| } | |
| const prNumber = context.payload.pull_request.number; | |
| const files = await github.paginate( | |
| github.rest.pulls.listFiles, | |
| { | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: prNumber, | |
| per_page: 100 | |
| } | |
| ); | |
| const matched = files | |
| .map((f) => f.filename) | |
| .filter((filename) => | |
| sensitivePatterns.some((pattern) => pattern.test(filename)) | |
| ); | |
| core.info(`Sensitive files changed: ${matched.length}`); | |
| core.setOutput("sensitive_changed", matched.length > 0 ? "true" : "false"); | |
| core.setOutput("matched_files", matched.join("\n")); | |
| - name: Enforce security review label for sensitive changes | |
| if: github.event_name == 'pull_request' && steps.detect.outputs.sensitive_changed == 'true' | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const requiredLabel = "security-review-approved"; | |
| const labels = (context.payload.pull_request.labels || []).map((label) => label.name); | |
| if (!labels.includes(requiredLabel)) { | |
| const changed = `${{ steps.detect.outputs.matched_files }}`; | |
| core.setFailed( | |
| [ | |
| `Sensitive file changes detected:\n${changed}`, | |
| `Missing required label: ${requiredLabel}`, | |
| "Add the label and ensure CODEOWNER approval before merge." | |
| ].join("\n\n") | |
| ); | |
| } |