a0a611525c
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
47 lines
1.3 KiB
YAML
47 lines
1.3 KiB
YAML
# Storybook audit: build static Storybook, serve it, run the audit script.
|
|
# Fails the job if any story has console errors, page errors, or unhandled network failures.
|
|
# See docs/STORYBOOK_CONTRACT.md and apps/web/scripts/audit-storybook.js.
|
|
name: Storybook Audit
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- "apps/web/**"
|
|
- ".github/workflows/storybook-audit.yml"
|
|
pull_request:
|
|
paths:
|
|
- "apps/web/**"
|
|
- ".github/workflows/storybook-audit.yml"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
audit:
|
|
name: Build & audit Storybook
|
|
runs-on: ubuntu-latest
|
|
defaults:
|
|
run:
|
|
working-directory: apps/web
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Node
|
|
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
|
with:
|
|
node-version: "20"
|
|
cache: "npm"
|
|
cache-dependency-path: apps/web/package-lock.json
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Install Playwright Chromium
|
|
run: npx playwright install chromium --with-deps
|
|
|
|
- name: Validate Storybook (build, serve 6007, audit)
|
|
run: npm run validate:storybook
|
|
env:
|
|
VITE_API_URL: /api/v1
|
|
VITE_USE_MSW: "true"
|
|
VITE_STORYBOOK: "true"
|