realworld-apps/realworld

4 workflows · maturity 67% · 3 patterns · GitHub ↗

Security 14.58/100

Practices

✓ Matrix✓ Permissions✓ Security scan○ AI review○ Cache✓ Concurrency○ Reusable workflows

Detected patterns

least-privilege-permissionsperformance-trackingsecurity-scanning

Security dimensions

permissions
6.3
security scan
8.3
supply chain
0
secret handling
0
harden runner
0

Tools: github/codeql-action/analyze, github/codeql-action/init

Workflows (4)

bruno-check .github/workflows/bruno-check.yml
Triggers
push, pull_request
Runs on
ubuntu-latest
Jobs
bruno-check
Actions
oven-sh/setup-bun
Commands
  • make bruno-check
View raw YAML 
name: 'Bruno Check'

on:
  push:
  pull_request:

jobs:
  bruno-check:
    name: Verify Bruno collection is up-to-date
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2

      - name: Check Bruno collection is up-to-date
        run: make bruno-check
codeql matrix security .github/workflows/codeql.yml
Triggers
workflow_dispatch, schedule
Runs on
ubuntu-latest
Jobs
analyze
Matrix
language→ javascript
Actions
github/codeql-action/init, github/codeql-action/analyze
View raw YAML 
name: 'CodeQL'

on:
  workflow_dispatch:
  schedule:
    - cron: '24 3 * * 3'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ['javascript']

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
        with:
          category: '/language:${{matrix.language}}'
deploy-docs perms .github/workflows/deploy-docs.yml
Triggers
push, workflow_dispatch
Runs on
ubuntu-latest, ubuntu-latest
Jobs
build, deploy
Actions
oven-sh/setup-bun, actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages
Commands
  • bun install
  • bun run build
View raw YAML 
name: Deploy Documentation

on:
  push:
    branches: [main]
    paths:
      - 'docs/**'
      - '.github/workflows/deploy-docs.yml'
  workflow_dispatch:  # allow manual trigger

permissions:
  contents: read
  pages: write
  id-token: write

concurrency:
  group: pages
  cancel-in-progress: false

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Setup Pages
        uses: actions/configure-pages@v4

      - name: Install dependencies
        run: bun install
        working-directory: ./docs

      - name: Build documentation
        run: bun run build
        working-directory: ./docs

      - name: Upload artifact
        uses: actions/upload-pages-artifact@v4
        with:
          path: './docs/dist'

  deploy:
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v4
spammy-guardian .github/workflows/spammy-guardian.yml
Triggers
workflow_dispatch, issue_comment, issues
Runs on
ubuntu-latest
Jobs
spammy-guardian
Actions
kerhub/spammy-guardian
View raw YAML 
name: Spammy Guardian
on:
  workflow_dispatch:
    inputs:
      issueId:
        description: 'id of the issue to test againt'
        required: true
  issue_comment:
  issues:
    types: [opened]
jobs:
  spammy-guardian:
    runs-on: ubuntu-latest
    if: ${{ github.actor != 'dependabot[bot]' || github.actor != 'netlify[bot]' }}
    steps:
      - uses: kerhub/spammy-guardian@fa79bcda24df6dae5b93285e1749e59c77add4bd
        with:
          token: ${{ secrets.GITHUB_TOKEN }}