From 3ae41fb80834440e4b615debfb57ba12329d4618 Mon Sep 17 00:00:00 2001 From: LloydDuhon Date: Thu, 21 May 2026 08:46:45 -0400 Subject: [PATCH] Add Shai-Hulud hardening --- .github/workflows/shai-hulud-check.yml | 36 ++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/shai-hulud-check.yml diff --git a/.github/workflows/shai-hulud-check.yml b/.github/workflows/shai-hulud-check.yml new file mode 100644 index 0000000..341b270 --- /dev/null +++ b/.github/workflows/shai-hulud-check.yml @@ -0,0 +1,36 @@ +name: Shai-Hulud Security Check + +on: + pull_request: + paths: + - "**/package.json" + - "**/package-lock.json" + - "**/yarn.lock" + - "**/pnpm-lock.yaml" + - "**/bun.lockb" + - ".github/workflows/shai-hulud-check.yml" + push: + branches: [main, master] + paths: + - "**/package.json" + - "**/package-lock.json" + - "**/yarn.lock" + - "**/pnpm-lock.yaml" + - "**/bun.lockb" + - ".github/workflows/shai-hulud-check.yml" + schedule: + - cron: "27 9 * * 1" + workflow_dispatch: {} + +permissions: + contents: read + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: gensecaihq/Shai-Hulud-2.0-Detector@v2 + with: + scan-lockfiles: true + fail-on-critical: true