diff --git a/.github/workflows/nuget-reference-check.yml b/.github/workflows/nuget-reference-check.yml new file mode 100644 index 00000000..6c4712ad --- /dev/null +++ b/.github/workflows/nuget-reference-check.yml @@ -0,0 +1,53 @@ +name: "nuget package reference check" + +on: + push: + pull_request: + schedule: + - cron: '0 8 * * *' + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + - name: Setup .NET Environment + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 8.0.x + + - name: add Starion GitHub nuget feed + run: dotnet nuget add source https://nuget.pkg.github.com/STARIONGROUP/index.json -n GHRHEA -u gh -p ${{ secrets.GH_PR_TOKEN }} --store-password-in-clear-text + + - name: add DevExpress nuget feed + run: dotnet nuget add source https://nuget.devexpress.com/api -n DXFeed -u DevExpress -p ${{ secrets.DEVEXPRESS_NUGET_KEY }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore COMETwebapp.sln + + - name: Build + run: dotnet build COMETwebapp.sln --no-restore /p:ContinuousIntegrationBuild=true + + - name: Checking NuGet vulnerabilites + run: | + set -e + dotnet list COMETwebapp.sln package --outdated --include-transitive + + dotnet list COMETwebapp.sln package --deprecated --include-transitive + + dotnet list COMETwebapp.sln package --vulnerable --include-transitive 2>&1 | tee vulnerabilities.log + + echo "Analyze dotnet list package command log output..." + if grep -q -i "\bcritical\b\|\bhigh\b\|\bmoderate\b\|\blow\b" vulnerabilities.log; then + echo "Security Vulnerabilities found" + exit 1 + else + echo "No Security Vulnerabilities found" + exit 0 + fi \ No newline at end of file