chore(deps): Update @posthog/types to 1.342.0 (#14823) #2169
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| name: Security | |
| permissions: | |
| contents: read | |
| env: | |
| SEMGREP_ENABLE_VERSION_CHECK: 'false' | |
| jobs: | |
| ensure-pinned-actions: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Ensure SHA pinned actions | |
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0 | |
| with: | |
| allowlist: | | |
| actions/ | |
| aws-actions/ | |
| docker/ | |
| github/ | |
| hashicorp/ | |
| PostHog/ | |
| tailscale/ | |
| inkeep/ | |
| semgrep-js: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| # exclude react-markdown rule: we use rehypeSanitize to sanitize HTML output | |
| - name: Run Semgrep | |
| run: | | |
| semgrep \ | |
| --config "p/javascript" \ | |
| --config "p/owasp-top-ten" \ | |
| --config "p/security-audit" \ | |
| --config "p/trailofbits" \ | |
| --exclude-rule typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html \ | |
| --error \ | |
| --metrics=off \ | |
| --verbose \ | |
| src/ gatsby/ plugins/ api/ *.js *.ts *.tsx | |
| # scans GitHub Actions and other repo-wide config | |
| semgrep-general: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| # exclude all directories already scanned by other jobs | |
| - name: Run Semgrep | |
| run: | | |
| semgrep \ | |
| --config "p/owasp-top-ten" \ | |
| --config "p/security-audit" \ | |
| --config "p/trailofbits" \ | |
| --config "p/github-actions" \ | |
| --error \ | |
| --metrics=off \ | |
| --verbose \ | |
| --exclude ./src/ \ | |
| --exclude ./gatsby/ \ | |
| --exclude ./plugins/ \ | |
| --exclude ./api/ \ | |
| --exclude ./contents/ \ | |
| . | |
| semgrep_checks: | |
| needs: [semgrep-js, semgrep-general] | |
| name: Semgrep Checks Pass | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Check matrix outcome | |
| run: | | |
| if [[ "${{ needs.semgrep-js.result }}" != "success" && "${{ needs.semgrep-js.result }}" != "skipped" ]]; then | |
| echo "semgrep-js did not complete successfully." | |
| exit 1 | |
| fi | |
| if [[ "${{ needs.semgrep-general.result }}" != "success" && "${{ needs.semgrep-general.result }}" != "skipped" ]]; then | |
| echo "semgrep-general did not complete successfully." | |
| exit 1 | |
| fi | |
| echo "All checks passed." |