Skip to content

Commit

Permalink
Merge pull request #785 from myrotvorets/harden-workflows
Browse files Browse the repository at this point in the history
Harden workflows
  • Loading branch information
myrotvorets-team authored Sep 7, 2024
2 parents a36be44 + b3d3abd commit 0a4b41f
Show file tree
Hide file tree
Showing 10 changed files with 287 additions and 65 deletions.
47 changes: 47 additions & 0 deletions .github/workflows/audit-signatures.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Audit Signatures

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
audit:
name: Verify Signatures and Provenance Statements
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Setup Node.js environment
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/*

- name: Install latest npm
run: npm install -g npm@latest

- name: Install dependencies
run: npm ci

- name: Run audit
run: npm audit signatures
18 changes: 15 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ name: Build and Test
on:
push:
branches:
- "**"
- master
pull_request:
workflow_dispatch:

permissions:
Expand All @@ -14,15 +15,26 @@ jobs:
build:
name: Build and test (Node ${{ matrix.node.name }})
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
strategy:
matrix:
node:
- { name: Current, version: current }
- { name: LTS, version: lts/* }
- { name: Previous LTS, version: lts/-1 }
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master
uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208
with:
node-version: ${{ matrix.node.version }}
19 changes: 15 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,9 @@ on:
pull_request:
branches:
- master
paths:
- "lib/**.ts"
- ".github/workflows/codeql-analysis.yml"
schedule:
- cron: '24 2 * * 6'
workflow_dispatch:

permissions:
contents: read
Expand All @@ -30,14 +28,27 @@ jobs:
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443
objects.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Initialize CodeQL
uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
queries: +security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
category: "/language:${{ matrix.language }}"
64 changes: 64 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Linting

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
lint:
name: ESLint Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Run code style check
uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208
with:
script: lint

typecheck:
name: TypeScript Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Run type check
uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208
with:
script: typecheck
48 changes: 0 additions & 48 deletions .github/workflows/npm-publish.yml

This file was deleted.

13 changes: 12 additions & 1 deletion .github/workflows/package-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,16 @@ jobs:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints:
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Audit with NPM
uses: myrotvorets/composite-actions/node-package-audit@master
uses: myrotvorets/composite-actions/node-package-audit@931ae3fec4810f7d263d28f6cf12159080b76208
76 changes: 76 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Publish Package

on:
release:
types:
- released
workflow_dispatch:
inputs:
gpr:
default: "yes"
description: Publish to GPR?
required: true

permissions:
contents: read

jobs:
prepare:
name: Prepare source code
runs-on: ubuntu-latest
permissions:
contents: read
if: github.event_name == 'release' || github.event.inputs.gpr == 'yes'
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Prepare source
uses: myrotvorets/composite-actions/node-prepublish@931ae3fec4810f7d263d28f6cf12159080b76208

publish:
name: Publish package (${{ matrix.registry }})
runs-on: ubuntu-latest
needs: prepare
permissions:
contents: read
packages: write
statuses: write
id-token: write
strategy:
matrix:
registry:
- gpr
include:
- registry: gpr
secret: GITHUB_TOKEN
registry_url: https://npm.pkg.github.com/
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
npm.pkg.github.com:443
- name: Publish package
uses: myrotvorets/composite-actions/node-publish@931ae3fec4810f7d263d28f6cf12159080b76208
with:
node-auth-token: ${{ secrets[matrix.secret] }}
registry-url: ${{ matrix.registry_url }}
if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
25 changes: 24 additions & 1 deletion .github/workflows/push-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,23 @@ jobs:
build:
name: Build and test
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master
uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208

release:
name: Prepare the release
Expand All @@ -23,6 +37,15 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
Loading

0 comments on commit 0a4b41f

Please sign in to comment.