From 59297aa5dd88149ecd5c0e28a856494ea1ed0f3c Mon Sep 17 00:00:00 2001
From: Convly <jean-sebastien.herbaux@epitech.eu>
Date: Tue, 1 Mar 2022 11:47:49 +0100
Subject: [PATCH 1/2] Add a basic lockfile security check action

---
 .github/actions/security/lockfile/action.yml | 24 ++++++++++++++++++++
 .github/actions/security/lockfile/script.sh  |  7 ++++++
 .github/workflows/checks.yml                 |  5 ++++
 3 files changed, 36 insertions(+)
 create mode 100644 .github/actions/security/lockfile/action.yml
 create mode 100644 .github/actions/security/lockfile/script.sh

diff --git a/.github/actions/security/lockfile/action.yml b/.github/actions/security/lockfile/action.yml
new file mode 100644
index 0000000000..9eb24ffcef
--- /dev/null
+++ b/.github/actions/security/lockfile/action.yml
@@ -0,0 +1,24 @@
+name: 'Analyze lockfile dependencies'
+description: 'Parse dependencies from the yarn lockfile and run security tests on them'
+inputs:
+  path:
+    description: 'Path to the yarn lockfile'
+    required: false
+    default: 'yarn.lock'
+  type:
+    description: 'Lockfile type, either yarn or npm'
+    default: 'yarn'
+    required: false
+  allowedHosts:
+    description: 'Allowed hosts for packages resolution'
+    required: false
+    default: 'https://registry.yarnpkg.com'
+runs:
+  using: 'composite'
+  steps:
+    - run: $GITHUB_ACTION_PATH/script.sh
+      env:
+        LOCKFILE_PATH: ${{ inputs.path }}
+        LOCKFILE_TYPE: ${{ inputs.type }}
+        LOCKFILE_ALLOWED_HOSTS: ${{ inputs.allowedHosts }}
+      shell: bash
diff --git a/.github/actions/security/lockfile/script.sh b/.github/actions/security/lockfile/script.sh
new file mode 100644
index 0000000000..1a6db6d0c5
--- /dev/null
+++ b/.github/actions/security/lockfile/script.sh
@@ -0,0 +1,7 @@
+yarn global add lockfile-lint
+
+lockfile-lint \
+    --type $LOCKFILE_TYPE \
+    --path $LOCKFILE_PATH \
+    --allowed-hosts $LOCKFILE_ALLOWED_HOSTS \
+    --validate-https
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index c5dd384ccf..cdbee9aa48 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -17,3 +17,8 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/check-pr-status
+  security-lockfile-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/actions/security/lockfile

From 10743c1e64b5953f1de3a4882cc91ceed64bde3f Mon Sep 17 00:00:00 2001
From: Convly <jean-sebastien.herbaux@epitech.eu>
Date: Tue, 1 Mar 2022 12:06:34 +0100
Subject: [PATCH 2/2] Add x permission to the lockfile script.sh script

---
 .github/actions/security/lockfile/script.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 .github/actions/security/lockfile/script.sh

diff --git a/.github/actions/security/lockfile/script.sh b/.github/actions/security/lockfile/script.sh
old mode 100644
new mode 100755