Harden workflows

.github/workflows/audit-signatures.yml

@@ -0,0 +1,47 @@
+name: Audit Signatures
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Verify Signatures and Provenance Statements
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+            tuf-repo-cdn.sigstore.dev:443
+
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: lts/*
+
+      - name: Install latest npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run audit
+        run: npm audit signatures

.github/workflows/build.yml

@@ -4,7 +4,8 @@ name: Build and Test
 on:
   push:
     branches:
-      - "**"
+      - master
+  pull_request:
   workflow_dispatch:
 
 permissions:
@@ -14,15 +15,26 @@ jobs:
   build:
     name: Build and test (Node ${{ matrix.node.name }})
     runs-on: ubuntu-latest
-    if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
     strategy:
       matrix:
         node:
           - { name: Current,      version: current }
           - { name: LTS,          version: lts/* }
           - { name: Previous LTS, version: lts/-1 }
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
       - name: Build and test
-        uses: myrotvorets/composite-actions/build-test-nodejs@master
+        uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208
         with:
           node-version: ${{ matrix.node.version }}

.github/workflows/codeql-analysis.yml

@@ -7,11 +7,9 @@ on:
   pull_request:
     branches:
       - master
-    paths:
-      - "lib/**.ts"
-      - ".github/workflows/codeql-analysis.yml"
   schedule:
     - cron: '24 2 * * 6'
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -30,14 +28,27 @@ jobs:
       contents: read
       security-events: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            uploads.github.com:443
+            objects.githubusercontent.com:443
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
         with:
           languages: ${{ matrix.language }}
-          config-file: ./.github/codeql-config.yml
+          queries: +security-and-quality
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/lint.yml

@@ -0,0 +1,64 @@
+name: Linting
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NPM_CONFIG_FUND: '0'
+  NPM_CONFIG_AUDIT: '0'
+  SUPPRESS_SUPPORT: '1'
+  NO_UPDATE_NOTIFIER: 'true'
+
+jobs:
+  lint:
+    name: ESLint Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
+      - name: Run code style check
+        uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208
+        with:
+          script: lint
+
+  typecheck:
+    name: TypeScript Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
+      - name: Run type check
+        uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208
+        with:
+          script: typecheck

.github/workflows/package-audit.yml

@@ -18,5 +18,16 @@ jobs:
     name: NPM Audit
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
       - name: Audit with NPM
-        uses: myrotvorets/composite-actions/node-package-audit@master
+        uses: myrotvorets/composite-actions/node-package-audit@931ae3fec4810f7d263d28f6cf12159080b76208

.github/workflows/publish.yml

@@ -0,0 +1,76 @@
+name: Publish Package
+
+on:
+  release:
+    types:
+      - released
+  workflow_dispatch:
+    inputs:
+      gpr:
+        default: "yes"
+        description: Publish to GPR?
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  prepare:
+    name: Prepare source code
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    if: github.event_name == 'release' || github.event.inputs.gpr == 'yes'
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
+      - name: Prepare source
+        uses: myrotvorets/composite-actions/node-prepublish@931ae3fec4810f7d263d28f6cf12159080b76208
+
+  publish:
+    name: Publish package (${{ matrix.registry }})
+    runs-on: ubuntu-latest
+    needs: prepare
+    permissions:
+      contents: read
+      packages: write
+      statuses: write
+      id-token: write
+    strategy:
+      matrix:
+        registry:
+          - gpr
+        include:
+          - registry: gpr
+            secret: GITHUB_TOKEN
+            registry_url: https://npm.pkg.github.com/
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            npm.pkg.github.com:443
+
+      - name: Publish package
+        uses: myrotvorets/composite-actions/node-publish@931ae3fec4810f7d263d28f6cf12159080b76208
+        with:
+          node-auth-token: ${{ secrets[matrix.secret] }}
+          registry-url: ${{ matrix.registry_url }}
+        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'

.github/workflows/push-tag.yml

@@ -12,9 +12,23 @@ jobs:
   build:
     name: Build and test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+
       - name: Build and test
-        uses: myrotvorets/composite-actions/build-test-nodejs@master
+        uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208
 
   release:
     name: Prepare the release
@@ -23,6 +37,15 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7