From b3d3abde74de54791617121b43ca782674fda7ce Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Sat, 7 Sep 2024 12:49:18 +0300 Subject: [PATCH] Harden workflows --- .github/workflows/audit-signatures.yml | 47 ++++++++++++++++ .github/workflows/build.yml | 18 +++++- .github/workflows/codeql-analysis.yml | 19 +++++-- .github/workflows/lint.yml | 64 ++++++++++++++++++++++ .github/workflows/npm-publish.yml | 48 ---------------- .github/workflows/package-audit.yml | 13 ++++- .github/workflows/publish.yml | 76 ++++++++++++++++++++++++++ .github/workflows/push-tag.yml | 25 ++++++++- .github/workflows/sonarscan.yml | 35 ++++++++++-- package.json | 7 ++- 10 files changed, 287 insertions(+), 65 deletions(-) create mode 100644 .github/workflows/audit-signatures.yml create mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/npm-publish.yml create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/audit-signatures.yml b/.github/workflows/audit-signatures.yml new file mode 100644 index 00000000..606f322f --- /dev/null +++ b/.github/workflows/audit-signatures.yml @@ -0,0 +1,47 @@ +name: Audit Signatures + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit: + name: Verify Signatures and Provenance Statements + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup Node.js environment + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: lts/* + + - name: Install latest npm + run: npm install -g npm@latest + + - name: Install dependencies + run: npm ci + + - name: Run audit + run: npm audit signatures diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8dfbbccb..dcbc3a1b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,7 +4,8 @@ name: Build and Test on: push: branches: - - "**" + - master + pull_request: workflow_dispatch: permissions: @@ -14,7 +15,6 @@ jobs: build: name: Build and test (Node ${{ matrix.node.name }}) runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} strategy: matrix: node: @@ -22,7 +22,19 @@ jobs: - { name: LTS, version: lts/* } - { name: Previous LTS, version: lts/-1 } steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test - uses: myrotvorets/composite-actions/build-test-nodejs@master + uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208 with: node-version: ${{ matrix.node.version }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d20640cf..659315c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,11 +7,9 @@ on: pull_request: branches: - master - paths: - - "lib/**.ts" - - ".github/workflows/codeql-analysis.yml" schedule: - cron: '24 2 * * 6' + workflow_dispatch: permissions: contents: read @@ -30,6 +28,17 @@ jobs: contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -37,7 +46,9 @@ jobs: uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} - config-file: ./.github/codeql-config.yml + queries: +security-and-quality - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..10a17308 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,64 @@ +name: Linting + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + +jobs: + lint: + name: ESLint Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run code style check + uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208 + with: + script: lint + + typecheck: + name: TypeScript Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run type check + uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208 + with: + script: typecheck diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml deleted file mode 100644 index c0bbfb08..00000000 --- a/.github/workflows/npm-publish.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Publish Package - -on: - release: - types: - - released - workflow_dispatch: - inputs: - gpr: - default: "yes" - description: Publish to GPR? - required: true - -permissions: - contents: read - -jobs: - prepare: - name: Prepare source code - runs-on: ubuntu-latest - if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' - steps: - - name: Prepare source - uses: myrotvorets/composite-actions/node-prepublish@master - - publish: - name: Publish package (${{ matrix.registry }}) - runs-on: ubuntu-latest - needs: prepare - permissions: - contents: read - packages: write - statuses: write - strategy: - matrix: - registry: - - gpr - include: - - registry: gpr - secret: GITHUB_TOKEN - registry_url: https://npm.pkg.github.com/ - steps: - - name: Publish package - uses: myrotvorets/composite-actions/node-publish@master - with: - node-auth-token: ${{ secrets[matrix.secret] }} - registry-url: ${{ matrix.registry_url }} - if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 1a3a30ed..2576ef7c 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -18,5 +18,16 @@ jobs: name: NPM Audit runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Audit with NPM - uses: myrotvorets/composite-actions/node-package-audit@master + uses: myrotvorets/composite-actions/node-package-audit@931ae3fec4810f7d263d28f6cf12159080b76208 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..9499f42e --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,76 @@ +name: Publish Package + +on: + release: + types: + - released + workflow_dispatch: + inputs: + gpr: + default: "yes" + description: Publish to GPR? + required: true + +permissions: + contents: read + +jobs: + prepare: + name: Prepare source code + runs-on: ubuntu-latest + permissions: + contents: read + if: github.event_name == 'release' || github.event.inputs.gpr == 'yes' + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Prepare source + uses: myrotvorets/composite-actions/node-prepublish@931ae3fec4810f7d263d28f6cf12159080b76208 + + publish: + name: Publish package (${{ matrix.registry }}) + runs-on: ubuntu-latest + needs: prepare + permissions: + contents: read + packages: write + statuses: write + id-token: write + strategy: + matrix: + registry: + - gpr + include: + - registry: gpr + secret: GITHUB_TOKEN + registry_url: https://npm.pkg.github.com/ + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + fulcio.sigstore.dev:443 + rekor.sigstore.dev:443 + npm.pkg.github.com:443 + + - name: Publish package + uses: myrotvorets/composite-actions/node-publish@931ae3fec4810f7d263d28f6cf12159080b76208 + with: + node-auth-token: ${{ secrets[matrix.secret] }} + registry-url: ${{ matrix.registry_url }} + if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index f81a5f9b..ebef4d23 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -12,9 +12,23 @@ jobs: build: name: Build and test runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test - uses: myrotvorets/composite-actions/build-test-nodejs@master + uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208 release: name: Prepare the release @@ -23,6 +37,15 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index 639b6c2c..1cf46e17 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -16,13 +16,36 @@ jobs: build: name: SonarCloud Scan runs-on: ubuntu-latest - if: | - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' || - github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]') + permissions: + contents: read + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + objects.githubusercontent.com:443 + pipelinesghubeus23.actions.githubusercontent.com:443 + pkg-npm.githubusercontent.com:443 + registry.npmjs.org:443 + api.sonarcloud.io:443 + analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + + - name: Check out the source code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: Run SonarCloud analysis - uses: myrotvorets/composite-actions/node-sonarscan@master + uses: myrotvorets/composite-actions/node-sonarscan@931ae3fec4810f7d263d28f6cf12159080b76208 with: sonar-token: ${{ secrets.SONAR_TOKEN }} - test-script: 'test:coverage' + test-script: 'test:sonarqube' diff --git a/package.json b/package.json index cf35bc0e..f9ae7ec6 100644 --- a/package.json +++ b/package.json @@ -8,9 +8,12 @@ "build": "tsc", "lint": "eslint -f gha .", "lint:fix": "eslint --fix .", - "prepare": "npm run build", + "prepack": "npm run build", + "typecheck": "tsc --noEmit", "test": "node --import=./loader.mjs test-runner.mjs", - "test:coverage": "c8 npm test" + "test:coverage": "c8 npm test", + "pretest:sonarqube": "npm run lint", + "test:sonarqube": "c8 npm test" }, "files": [ "dist/lib/index.d.mts",