PWA-1219: Reusable Deployment Workflow

[jmurphy-res]

https://resideo.atlassian.net/browse/PWA-1219

Added a reusable composite workflow for the web projects to use for releases.

The workflow creates a release candidate branch and pull request.

Readme

Example Output

Generates reminder comment at the bottom

[github-actions]

Vulnerabilities

Below are the list of dependencies with security vulnerabilities grouped by severity levels. Click to expand.

---

HIGH (2)

glob-parent@3.1.0 ⚠️ -914 days overdue

Current Ver.	Status	Severity	Grace Period
3.1.0	fixed in 5.1.2	7.5	⚠️ -914 days overdue

Description	This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Source	Link
Yarn Why	yarn why v1.22.21 [1/4] Why do we have the module "glob-parent"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... info => Found "[email protected]" info Has been hoisted to "glob-parent" info Reasons this module exists - "workspace-aggregator-4f9b85c1-b457-4b41-b650-019af94990f5" depends on it - Hoisted from "_project_#eslint#glob-parent" - Hoisted from "_project_#lerna#@lerna#add#@lerna#command#@lerna#project#glob-parent" info => Found "fast-glob#[email protected]" info This module exists because "_project_#lerna#@lerna#create#globby#fast-glob" depends on it. Done in 2.78s.
Current Version Instance	/home/runner/work/actions/actions/twistlock/package.json /home/runner/work/actions/actions/package.json /home/runner/work/actions/actions/start-and-check/package.json
All Instances	3.1.0 at /home/runner/work/actions/actions/twistlock/package.json 5.1.2 at /home/runner/work/actions/actions/twistlock/package.json 5.1.2 at /home/runner/work/actions/actions/package.json 3.1.0 at /home/runner/work/actions/actions/package.json 5.1.2 at /home/runner/work/actions/actions/start-and-check/package.json 3.1.0 at /home/runner/work/actions/actions/start-and-check/package.json

unset-value@1.0.0 ⚠️ -651 days overdue

Current Ver.	Status	Severity	Grace Period
1.0.0	fixed in 2.0.1	8	⚠️ -651 days overdue

Description	unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.
Source	Link
Yarn Why	yarn why v1.22.21 [1/4] Why do we have the module "unset-value"...? [2/4] Initialising dependency graph... [3/4] Finding dependency... [4/4] Calculating file sizes... info => Found "[email protected]" info Reasons this module exists - "_project_#lerna#@lerna#create#globby#fast-glob#micromatch#snapdragon#base#cache-base" depends on it - Hoisted from "_project_#lerna#@lerna#create#globby#fast-glob#micromatch#snapdragon#base#cache-base#unset-value" Done in 2.99s.
Current Version Instance	/home/runner/work/actions/actions/twistlock/package.json /home/runner/work/actions/actions/package.json /home/runner/work/actions/actions/start-and-check/package.json
All Instances	1.0.0 at /home/runner/work/actions/actions/twistlock/package.json 1.0.0 at /home/runner/work/actions/actions/package.json 1.0.0 at /home/runner/work/actions/actions/start-and-check/package.json

---

The following dependencies are excluded from the github comment because they could not be found within the repository/monorepo: marked, marked, marked, shelljs, shelljs, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, mocha, csv-parse, codecov, codecov, codecov, grunt, grunt, grunt.

Generated by resideo/actions/twistlock.
Please create an issue in the repository if you have any feedback.