From 3b664d3e7437c324c7abf065f9dc71ce19836ece Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 15:56:46 +0800 Subject: [PATCH 1/6] ci: upgrade actions/checkout to v6 for Node.js 24 support --- .github/workflows/ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6aa0728..74b9acc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install dependencies run: npm ci @@ -54,7 +54,7 @@ jobs: image: returntocorp/semgrep:1.76.0 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Run Semgrep SAST scan run: semgrep scan --sarif --config p/security-audit --config p/owasp-top-ten --config p/cwe-top-25 --output semgrep.sarif @@ -73,7 +73,7 @@ jobs: COMPOSE_FILE: docker-compose.ci.yml steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build and start containers run: docker compose build --no-cache && docker compose up -d @@ -96,7 +96,7 @@ jobs: COMPOSE_FILE: docker-compose.ci.yml steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build Docker image with Node ${{ matrix.node-version }} run: | @@ -117,7 +117,7 @@ jobs: COMPOSE_FILE: docker-compose.ci.yml steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build and start containers run: docker compose build --no-cache && docker compose up -d @@ -138,7 +138,7 @@ jobs: COMPOSE_FILE: docker-compose.ci.yml steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Build and start containers run: docker compose build --no-cache && docker compose up -d From 6223e2202cf0990b3cd506e886ccbc6bf18e8357 Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 16:05:09 +0800 Subject: [PATCH 2/6] ci: add Node 24 to matrix and remove redundant verify job --- .github/workflows/ci.yml | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 74b9acc..0aa6a4c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,31 +66,12 @@ jobs: sarif_file: 'semgrep.sarif' category: 'sast-semgrep' - verify: - if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') - runs-on: ubuntu-latest - env: - COMPOSE_FILE: docker-compose.ci.yml - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Build and start containers - run: docker compose build --no-cache && docker compose up -d - - - name: Run verify - run: docker compose exec -T app npm run verify - - - name: Tear down - if: always() - run: docker compose down -v --remove-orphans - verify-matrix: if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') strategy: fail-fast: false matrix: - node-version: ['20', '22'] + node-version: ['20', '22', '24'] runs-on: ubuntu-latest env: COMPOSE_FILE: docker-compose.ci.yml From f7ce78726fb137761b7115e6b57507a0e9ffbaed Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 16:08:02 +0800 Subject: [PATCH 3/6] ci: opt-in to Node.js 24 for GitHub Actions runtime --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0aa6a4c..6fae49d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,9 @@ name: CI permissions: contents: read +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + on: pull_request: push: From 14b87beb064c42bb7c4b8c5eecfc9de6edc95731 Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 16:41:50 +0800 Subject: [PATCH 4/6] ci: replace Trivy with Grype for SCA scanning --- .github/workflows/ci.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6fae49d..de6c7bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ on: - cron: "0 2 * * 1" jobs: - sca-trivy: + sca-grype: if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') runs-on: ubuntu-latest permissions: @@ -30,22 +30,21 @@ jobs: - name: Install dependencies run: npm ci - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + - name: Run Grype vulnerability scanner + uses: anchore/scan-action@v7 with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - exit-code: '1' - - - name: Upload Trivy results to GitHub Security tab + path: '.' + output-format: 'sarif' + output-file: 'grype-results.sarif' + severity-cutoff: 'high' + fail-build: true + + - name: Upload Grype results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: - sarif_file: 'trivy-results.sarif' - category: 'sca-trivy' + sarif_file: 'grype-results.sarif' + category: 'sca-grype' sast-semgrep: if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') From 4700665691fa6102a62280ec97981fbb7458a843 Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 17:21:35 +0800 Subject: [PATCH 5/6] chore: trigger CI for updated branch protection rules From c1392235ff7a1910fabbf13ab21b76b356ae5896 Mon Sep 17 00:00:00 2001 From: Jonathan Tsai Date: Fri, 27 Mar 2026 17:28:30 +0800 Subject: [PATCH 6/6] chore: trigger CI for matrix check names