From 8e760b69065d5ab2b54317d194c0d0d27b2e1590 Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Wed, 27 Mar 2024 00:53:56 +0200 Subject: [PATCH] Update package audit workflow --- .github/workflows/package-audit.yml | 31 ++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 14dba7f6..ac5b6010 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -18,16 +18,18 @@ jobs: name: NPM Audit runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Setup Node.js environment - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - node-version: lts/* + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + registry.npmjs.org:443 - - name: Run audit - run: npm audit --omit=dev + - name: Audit with NPM + uses: myrotvorets/composite-actions/node-package-audit@master provenance: name: Verify signatures and provenance statements @@ -36,6 +38,17 @@ jobs: contents: read packages: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -44,7 +57,7 @@ jobs: with: node-version: lts/* registry-url: https://npm.pkg.github.com - cache: npm + # cache: npm - name: Install dependencies run: npm ci --ignore-scripts