diff --git a/.bundler-audit.yml b/.bundler-audit.yml deleted file mode 100644 index 8aa41a51a..000000000 --- a/.bundler-audit.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -ignore: - - CVE-2022-25765 diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml new file mode 100644 index 000000000..90c591f8a --- /dev/null +++ b/.github/workflows/bundler-audit.yml @@ -0,0 +1,46 @@ +name: Ensure Bundler-Audit Passes + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + bundler-audit: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Ruby and install gems + uses: ./.github/actions/setup-ruby-deps + + - name: Run Bundler-Audit + run: | + mkdir -p tmp + # Allow bundler-audit to return 1 (vulnerabilities found) without failing the step + set +e + bundle exec bundler-audit check --update > tmp/bundler-audit-output.txt + AUDIT_EXIT=$? + set -e + if [ $AUDIT_EXIT -ne 0 ] && [ $AUDIT_EXIT -ne 1 ]; then + echo "bundler-audit failed unexpectedly (exit code $AUDIT_EXIT)" + exit $AUDIT_EXIT + fi + shell: bash + + - name: Analyze Bundler-Audit Output + run: | + if grep -Eq '^Criticality:\s*(Critical|High)' tmp/bundler-audit-output.txt; then + echo "High or Critical vulnerabilities detected!" + cat tmp/bundler-audit-output.txt + exit 1 + else + echo "No High or Critical vulnerabilities detected." + fi + shell: bash + + - name: Upload Bundler-Audit Report + uses: actions/upload-artifact@v4 + with: + name: bundler-audit-report + path: tmp/bundler-audit-output.txt diff --git a/Gemfile.lock b/Gemfile.lock index 862db3234..5ebb134b6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -377,11 +377,11 @@ PLATFORMS aarch64-linux aarch64-linux-gnu aarch64-linux-musl - arm64-darwin-23 arm-linux arm-linux-gnu arm-linux-musl arm64-darwin + arm64-darwin-23 x86-linux x86-linux-gnu x86-linux-musl