@ckeditor/ckeditor5-dev-ci 54.5.0 → 54.6.0

package/README.md

@@ -129,6 +129,25 @@ These commands accept a mix of environment variables and command line arguments.
     Can be omitted if it matches `--slug`.
   - `--release-branch` — *(Optional)* Branch that leads the release process.
 
+- ⚙️ **`ckeditor5-dev-ci-trigger-snyk-scan`**
+
+  Publishes Snyk code and dependency snapshots for the current branch.
+  It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test --report` and `snyk monitor --all-projects --detection-depth=2`.
+
+  **Environment variables:**
+  - `SNYK_TOKEN` — Snyk token used for authentication.
+
+  **CircleCI-provided variables:**
+  - `CIRCLE_BRANCH` — Git branch used as Snyk's `target-reference`.
+
+  **Parameters:**
+  - `--organization` — Snyk organization ID or slug.
+
+  **Behavior:**
+  - Limits dependency snapshot detection to the repository root and `packages/*`, so test fixtures and deeper nested manifests are ignored.
+  - Accepts exit code `1` from `snyk code test --report`, so code snapshots are still published when vulnerabilities are found.
+  - Requires exit code `0` from `snyk monitor --all-projects`, because any other code means the dependency snapshot was not created.
+
 ## Changelog
 
 See the [`CHANGELOG.md`](https://github.com/ckeditor/ckeditor5-dev/blob/master/packages/ckeditor5-dev-ci/CHANGELOG.md) file.

package/bin/trigger-snyk-scan.js

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+
+/**
+ * @license Copyright (c) 2003-2026, CKSource Holding sp. z o.o. All rights reserved.
+ * For licensing, see LICENSE.md.
+ */
+
+import { parseArgs } from 'node:util';
+import runSnykCommand from '../lib/run-snyk-command.js';
+
+const SNYK_ENDPOINT = 'https://api.eu.snyk.io';
+
+try {
+	const { CIRCLE_BRANCH, SNYK_TOKEN } = process.env;
+
+	const { values } = parseArgs( {
+		options: {
+			organization: {
+				type: 'string'
+			}
+		},
+		strict: true
+	} );
+
+	if ( !values.organization ) {
+		throw new Error( 'Missing required argument: --organization' );
+	}
+
+	if ( !SNYK_TOKEN ) {
+		throw new Error( 'Missing environment variable: SNYK_TOKEN' );
+	}
+
+	if ( !CIRCLE_BRANCH ) {
+		throw new Error( 'Missing environment variable: CIRCLE_BRANCH' );
+	}
+
+	await runSnykCommand( [ 'config', 'set', `endpoint=${ SNYK_ENDPOINT }` ] );
+	await runSnykCommand( [ 'config', 'set', `org=${ values.organization }` ] );
+
+	await runSnykCommand(
+		[
+			'code',
+			'test',
+			'--report',
+			'--project-name=Code analysis',
+			`--target-reference=${ CIRCLE_BRANCH }`
+		],
+
+		/**
+		 * Snyk CLI returns exit code 1 when vulnerabilities are found. Since we want to publish
+		 * the snapshot even if there are some vulnerabilities, we need to allow exit code 1.
+		 */
+		[ 0, 1 ]
+	);
+
+	await runSnykCommand(
+		[
+			'monitor',
+			'--all-projects',
+			'--detection-depth=2',
+			`--target-reference=${ CIRCLE_BRANCH }`
+		],
+
+		/**
+		 * Unlike `snyk code test --report`, `snyk monitor` reports a successful snapshot upload
+		 * only with exit code 0. Any other exit code means the dependency snapshot was not created.
+		 */
+		[ 0 ]
+	);
+} catch ( error ) {
+	console.error( error );
+	process.exitCode = 1;
+}

package/lib/run-snyk-command.js

@@ -0,0 +1,34 @@
+/**
+ * @license Copyright (c) 2003-2026, CKSource Holding sp. z o.o. All rights reserved.
+ * For licensing, see LICENSE.md.
+ */
+
+import { spawn } from 'node:child_process';
+
+/**
+ * Runs the Snyk CLI through `pnpm exec` and resolves only for explicitly allowed exit codes.
+ * This lets callers tolerate Snyk's non-zero "findings present" codes when a snapshot should still be published.
+ *
+ * @param {Array<string>} snykArguments CLI arguments passed to `snyk`.
+ * @param {Array<number>} [allowedExitCodes=[ 0 ]] Exit codes treated as successful.
+ * @returns {Promise<void>}
+ */
+export default function runSnykCommand( snykArguments, allowedExitCodes = [ 0 ] ) {
+	return new Promise( ( resolve, reject ) => {
+		const childProcess = spawn( 'pnpm', [ '--silent', 'exec', 'snyk', ...snykArguments ], {
+			cwd: process.cwd(),
+			stdio: 'inherit'
+		} );
+
+		childProcess.on( 'error', reject );
+		childProcess.on( 'close', exitCode => {
+			if ( allowedExitCodes.includes( exitCode ) ) {
+				resolve();
+
+				return;
+			}
+
+			reject( new Error( `Snyk command failed with exit code ${ exitCode }.` ) );
+		} );
+	} );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ckeditor/ckeditor5-dev-ci",
-  "version": "54.5.0",
+  "version": "54.6.0",
   "description": "Utils used on various Continuous Integration services.",
   "keywords": [],
   "author": "CKSource (http://cksource.com/)",
@@ -23,16 +23,18 @@
     "lib"
   ],
   "bin": {
-    "ckeditor5-dev-ci-notify-circle-status": "bin/notify-circle-status.js",
+    "ckeditor5-dev-ci-circle-enable-auto-cancel-builds": "bin/circle-enable-auto-cancel-builds.js",
+    "ckeditor5-dev-ci-circle-disable-auto-cancel-builds": "bin/circle-disable-auto-cancel-builds.js",
     "ckeditor5-dev-ci-circle-workflow-notifier": "bin/circle-workflow-notifier.js",
     "ckeditor5-dev-ci-is-job-triggered-by-member": "bin/is-job-triggered-by-member.js",
     "ckeditor5-dev-ci-is-workflow-restarted": "bin/is-workflow-restarted.js",
+    "ckeditor5-dev-ci-notify-circle-status": "bin/notify-circle-status.js",
     "ckeditor5-dev-ci-trigger-circle-build": "bin/trigger-circle-build.js",
-    "ckeditor5-dev-ci-circle-disable-auto-cancel-builds": "bin/circle-disable-auto-cancel-builds.js",
-    "ckeditor5-dev-ci-circle-enable-auto-cancel-builds": "bin/circle-enable-auto-cancel-builds.js"
+    "ckeditor5-dev-ci-trigger-snyk-scan": "bin/trigger-snyk-scan.js"
   },
   "dependencies": {
     "@octokit/rest": "^22.0.0",
-    "slack-notify": "^2.0.6"
+    "slack-notify": "^2.0.6",
+    "snyk": "^1.1303.1"
   }
 }