From 74d395e5baa7e7bee24eebbef0c8b15acb7c2b0e Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Wed, 27 Mar 2024 00:53:56 +0200 Subject: [PATCH] Update package audit workflow --- .github/workflows/package-audit.yml | 31 +++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 14dba7f6..a54bde5f 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -18,16 +18,19 @@ jobs: name: NPM Audit runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Setup Node.js environment - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - node-version: lts/* + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + pkg-npm.githubusercontent.com:443 + registry.npmjs.org:443 - - name: Run audit - run: npm audit --omit=dev + - name: Audit with NPM + uses: myrotvorets/composite-actions/node-package-audit@master provenance: name: Verify signatures and provenance statements @@ -36,6 +39,18 @@ jobs: contents: read packages: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + pkg-npm.githubusercontent.com:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1