package-audit.yml

name: Package Audit

on:
  push:
    branches:
      - '**'
    paths:
      - package.json
      - package-lock.json
      - .github/workflows/package-audit.yml
  workflow_dispatch:

permissions:
  contents: read

jobs:
  audit-npm:
    name: NPM Audit
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          allowed-endpoints:
            api.github.com:443
            github.com:443
            npm.pkg.github.com:443
            pkg-npm.githubusercontent.com:443
            registry.npmjs.org:443

      - name: Audit with NPM
        uses: myrotvorets/composite-actions/node-package-audit@master

  provenance:
    name: Verify signatures and provenance statements
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          allowed-endpoints:
            api.github.com:443
            github.com:443
            npm.pkg.github.com:443
            pkg-npm.githubusercontent.com:443
            registry.npmjs.org:443
            tuf-repo-cdn.sigstore.dev:443

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Node.js environment
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: lts/*
          registry-url: https://npm.pkg.github.com
          cache: npm

      - name: Install dependencies
        run: npm ci --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Update npm
        run: npm i -g npm

      - name: Run audit
        run: npm audit signatures
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}