Update workflows

myrotvorets · Apr 26, 2024 · ba9ac4e · ba9ac4e
1 parent ac05638
commit ba9ac4e
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 77 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Build
 
 on:
@@ -6,10 +7,12 @@ on:
       - '**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
     strategy:
       matrix:
         node:
@@ -20,23 +23,15 @@ jobs:
           - name: Current
             version: current
     name: Build and test (Node ${{ matrix.node.name }})
+    permissions:
+      contents: read
     steps:
-      - name: Check out the code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          node-version: ${{ matrix.node.version }}
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          egress-policy: audit
 
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Build
-        run: npm run build
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@2d91a1d71ced24aae94c7c700cfe99ee385570ec
+        with:
+          node-version: ${{ matrix.node }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,33 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
+
+      - name: Check out the source code
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+
+      - name: Review dependencies
+        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+        with:
+          comment-summary-in-pr: true
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -15,9 +15,6 @@ on:
         description: Publish to GPR?
         required: true
 
-env:
-  NODE_VERSION: 14
-
 jobs:
   prepare:
     name: Prepare the source code
@@ -32,7 +29,7 @@ jobs:
       - name: Set up Node.js environment
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: ${{ env.NODE_VERSION }}
+          node-version: lts/*
           cache: npm
 
       - name: Install dependencies

diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
@@ -8,18 +8,20 @@ on:
       - .github/workflows/package-audit.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   audit-npm:
     name: NPM Audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Setup Node.js environment
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          node-version: lts/*
+          egress-policy: audit
 
-      - name: Run audit
-        run: npm audit --production
+      - name: Audit with NPM
+        uses: myrotvorets/composite-actions/node-package-audit@master
diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -5,59 +5,28 @@ on:
     tags:
       - "*"
 
-env:
-  NODE_VERSION: 14
+permissions: read-all
 
 jobs:
-  build:
-    name: Build and test
+  prepare-release:
+    name: Prepeare Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Check out the code
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Build
-        run: npm run build
-
-  release:
-    name: Prepare the release
-    runs-on: ubuntu-latest
-    needs: build
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+          egress-policy: audit
 
-      - name: Fetch tags
-        run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-
-      - name: Get release description
-        id: release_params
-        run: |
-          SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")"
-          BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")"
-          echo "::set-output name=subject::${SUBJECT}"
-          echo "::set-output name=body::${BODY}"
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@2d91a1d71ced24aae94c7c700cfe99ee385570ec
+        with:
+          node-version: lts/*
 
       - name: Create a release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # renovate: tag=v1.1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
+        if: startsWith(github.ref, 'refs/tags/')
         with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ steps.release_params.subject }}
-          body: ${{ steps.release_params.body }}
+          generate_release_notes: true
+          token: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}