diff --git a/.github/workflows/audit-signatures.yml b/.github/workflows/audit-signatures.yml new file mode 100644 index 0000000..606f322 --- /dev/null +++ b/.github/workflows/audit-signatures.yml @@ -0,0 +1,47 @@ +name: Audit Signatures + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit: + name: Verify Signatures and Provenance Statements + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup Node.js environment + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: lts/* + + - name: Install latest npm + run: npm install -g npm@latest + + - name: Install dependencies + run: npm ci + + - name: Run audit + run: npm audit signatures diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8dfbbcc..961f8d8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,17 +4,23 @@ name: Build and Test on: push: branches: - - "**" + - master + pull_request: workflow_dispatch: permissions: contents: read +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + jobs: build: name: Build and test (Node ${{ matrix.node.name }}) runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} strategy: matrix: node: @@ -22,6 +28,18 @@ jobs: - { name: LTS, version: lts/* } - { name: Previous LTS, version: lts/-1 } steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d20640c..e2458f4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,11 +7,9 @@ on: pull_request: branches: - master - paths: - - "lib/**.ts" - - ".github/workflows/codeql-analysis.yml" schedule: - cron: '24 2 * * 6' + workflow_dispatch: permissions: contents: read @@ -30,6 +28,17 @@ jobs: contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..067cc67 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,64 @@ +name: Linting + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + +jobs: + lint: + name: ESLint Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run code style check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: lint + + typecheck: + name: TypeScript Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run type check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: typecheck diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 2ae21d4..370cda8 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -22,8 +22,22 @@ jobs: prepare: name: Prepare source code runs-on: ubuntu-latest + permissions: + contents: read if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Prepare source uses: myrotvorets/composite-actions/node-prepublish@master @@ -49,6 +63,21 @@ jobs: secret: GITHUB_TOKEN registry_url: https://npm.pkg.github.com/ steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + fulcio.sigstore.dev:443 + registry.npmjs.org:443 + rekor.sigstore.dev:443 + npm.pkg.github.com:443 + - name: Publish package uses: myrotvorets/composite-actions/node-publish@master with: diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 7a8b9e1..50ce012 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -25,51 +25,9 @@ jobs: allowed-endpoints: api.github.com:443 github.com:443 - npm.pkg.github.com:443 - pkg-npm.githubusercontent.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 registry.npmjs.org:443 - name: Audit with NPM uses: myrotvorets/composite-actions/node-package-audit@master - - provenance: - name: Verify signatures and provenance statements - runs-on: ubuntu-latest - permissions: - contents: read - packages: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-sudo: true - allowed-endpoints: - api.github.com:443 - github.com:443 - npm.pkg.github.com:443 - pkg-npm.githubusercontent.com:443 - registry.npmjs.org:443 - tuf-repo-cdn.sigstore.dev:443 - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Setup Node.js environment - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: lts/* - registry-url: https://npm.pkg.github.com - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Update npm - run: npm i -g npm - - - name: Run audit - run: npm audit signatures - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index b9c98ec..8fb6927 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -8,11 +8,31 @@ on: permissions: contents: read +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + jobs: build: name: Build and test runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master @@ -23,6 +43,15 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index f96c4ec..3b8b4f1 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -13,17 +13,33 @@ permissions: contents: read env: - SONARSCANNER: "true" + SONARSCANNER: 'true' jobs: build: name: SonarCloud Scan runs-on: ubuntu-latest if: | - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' || - github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]') + github.event_name != 'pull_request' || + github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + api.sonarcloud.io:443 + analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + - name: Run SonarCloud analysis uses: myrotvorets/composite-actions/node-sonarscan@master with: