DX | 12-05-2025 | Release

.github/workflows/release.yml

@@ -8,10 +8,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.5.3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: "18.x"
+          node-version: "22.x"
       - run: npm install
 
       - name: install npm packall
@@ -24,7 +24,7 @@ jobs:
 # Else New release will be created
       - name: Bump version and push tag
         id: tag_version
-        uses: mathieudutour/github-tag-action@v6.1
+        uses: mathieudutour/github-tag-action@v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           default_bump: false

.husky/pre-commit

@@ -0,0 +1,69 @@
+#!/usr/bin/env sh
+# Pre-commit hook to run Talisman and Snyk scans, completing both before deciding to commit
+
+# Function to check if a command exists
+command_exists() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+# Check if Talisman is installed
+if ! command_exists talisman; then
+  echo "Error: Talisman is not installed. Please install it and try again."
+  exit 1
+fi
+
+# Check if Snyk is installed
+if ! command_exists snyk; then
+  echo "Error: Snyk is not installed. Please install it and try again."
+  exit 1
+fi
+
+# Allow bypassing the hook with an environment variable
+if [ "$SKIP_HOOK" = "1" ]; then
+  echo "Skipping Talisman and Snyk scans (SKIP_HOOK=1)."
+  exit 0
+fi
+
+# Initialize variables to track scan results
+talisman_failed=false
+snyk_failed=false
+
+# Run Talisman secret scan
+echo "Running Talisman secret scan..."
+talisman --githook pre-commit > talisman_output.log 2>&1
+talisman_exit_code=$?
+
+if [ $talisman_exit_code -eq 0 ]; then
+  echo "Talisman scan passed: No secrets found."
+else
+  echo "Talisman scan failed (exit code $talisman_exit_code). See talisman_output.log for details."
+  talisman_failed=true
+fi
+
+# Run Snyk vulnerability scan (continues even if Talisman failed)
+echo "Running Snyk vulnerability scan..."
+snyk test --all-projects --fail-on=all > snyk_output.log 2>&1
+snyk_exit_code=$?
+
+if [ $snyk_exit_code -eq 0 ]; then
+  echo "Snyk scan passed: No vulnerabilities found."
+elif [ $snyk_exit_code -eq 1 ]; then
+  echo "Snyk found vulnerabilities. See snyk_output.log for details."
+  snyk_failed=true
+else
+  echo "Snyk scan failed with error (exit code $snyk_exit_code). See snyk_output.log for details."
+  snyk_failed=true
+fi
+
+# Evaluate results after both scans
+if [ "$talisman_failed" = true ] || [ "$snyk_failed" = true ]; then
+  echo "Commit aborted due to issues found in one or both scans."
+  [ "$talisman_failed" = true ] && echo "- Talisman issues: Check talisman_output.log"
+  [ "$snyk_failed" = true ] && echo "- Snyk issues: Check snyk_output.log"
+  exit 1
+fi
+
+# If both scans pass, allow the commit
+echo "All scans passed. Proceeding with commit."
+rm -f talisman_output.log snyk_output.log
+exit 0

.talismanrc

@@ -2,10 +2,11 @@ fileignoreconfig:
 - filename: .github/workflows/secrets-scan.yml
   ignore_detectors:
     - filecontent
-  - filename: package-lock.json
-    checksum: 4dc3e113527983251f6351c3fbfb9bc6129331c3ee85a78f10d72cdcc9de8186
-  - filename: src/commands/cm/stacks/validate-regex.ts
-    checksum: 883813675c599a981450130bcd377eb44aad27bf86628c56bfc89a7f1ac47d5e
-  - filename: messages/index.json
-    checksum: 01e9c9b943bfa1ebe6e7d6bede86b55b08641d64b9cc8af6cedea5c0a6273468
+- filename: package-lock.json
+  checksum: f5ee5780b8631eb4cfc7186057e47683089a38d45baa7208488d3e5f702c7bf5
+- filename: src/commands/cm/stacks/validate-regex.ts
+- filename: .husky/pre-commit
+  checksum: 1b9367d219802de2e3a8af9c5c698e0c255c00af89339d73bdbb8acf5275079f
+- filename: messages/index.json
+  checksum: 01e9c9b943bfa1ebe6e7d6bede86b55b08641d64b9cc8af6cedea5c0a6273468
 version: ""