Add a basic lockfile security check action

.github/actions/security/lockfile/action.yml

@@ -0,0 +1,24 @@
+name: 'Analyze lockfile dependencies'
+description: 'Parse dependencies from the yarn lockfile and run security tests on them'
+inputs:
+  path:
+    description: 'Path to the yarn lockfile'
+    required: false
+    default: 'yarn.lock'
+  type:
+    description: 'Lockfile type, either yarn or npm'
+    default: 'yarn'
+    required: false
+  allowedHosts:
+    description: 'Allowed hosts for packages resolution'
+    required: false
+    default: 'https://registry.yarnpkg.com'
+runs:
+  using: 'composite'
+  steps:
+    - run: $GITHUB_ACTION_PATH/script.sh
+      env:
+        LOCKFILE_PATH: ${{ inputs.path }}
+        LOCKFILE_TYPE: ${{ inputs.type }}
+        LOCKFILE_ALLOWED_HOSTS: ${{ inputs.allowedHosts }}
+      shell: bash

.github/actions/security/lockfile/script.sh

@@ -0,0 +1,7 @@
+yarn global add lockfile-lint
+
+lockfile-lint \
+    --type $LOCKFILE_TYPE \
+    --path $LOCKFILE_PATH \
+    --allowed-hosts $LOCKFILE_ALLOWED_HOSTS \
+    --validate-https

.github/workflows/checks.yml

@@ -17,3 +17,8 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/check-pr-status
+  security-lockfile-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/security/lockfile