Skip to content

Commit

Permalink
Merge pull request #118 from sjinks/harden-ci
Browse files Browse the repository at this point in the history 
ci: harden workflows
  • Loading branch information
@sjinks
sjinks authored Sep 1, 2024
2 parents 010594d + ff8971a commit 5faee93
Show file tree
Hide file tree
Showing 7 changed files with 153 additions and 84 deletions.
54 changes: 34 additions & 20 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,20 @@ on:
permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
build:
name: 'Build and Test (Node: ${{ matrix.node.name }})'
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
node:
- name: LTS
Expand All @@ -25,6 +32,18 @@ jobs:
- name: Current
version: node
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Check out the code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand All @@ -35,16 +54,7 @@ jobs:
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

- name: Run postinstall scripts
run: npm rebuild && npm run prepare --if-present
run: npm ci

- name: Run tests
run: npm test
Expand All @@ -55,6 +65,7 @@ jobs:
permissions:
contents: read
strategy:
fail-fast: false
matrix:
node:
- name: LTS
Expand All @@ -64,6 +75,18 @@ jobs:
- name: Current
version: node
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Check out the code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand All @@ -74,16 +97,7 @@ jobs:
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

- name: Run postinstall scripts
run: npm rebuild && npm run prepare --if-present
run: npm ci

- name: Build
run: npm run build
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "23 8 * * 2"

permissions:
contents: read

jobs:
analyze:
name: Analyze
Expand Down Expand Up @@ -44,9 +47,6 @@ jobs:
languages: ${{ matrix.language }}
queries: +security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
Expand Down
40 changes: 30 additions & 10 deletions .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,31 @@ on:
permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
eslint:
name: ESLint Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Check out the code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand All @@ -28,11 +46,6 @@ jobs:

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

- name: Run ESLint
run: npm run lint
Expand All @@ -43,6 +56,18 @@ jobs:
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Check out the code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand All @@ -54,11 +79,6 @@ jobs:

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

- name: Run tsc
run: npm run typecheck
76 changes: 48 additions & 28 deletions .github/workflows/npm-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,6 @@ on:
types:
- released
workflow_dispatch:
inputs:
npm:
default: "yes"
description: Publish to NPM?
required: true

permissions:
contents: read
Expand All @@ -20,6 +15,18 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name == 'release' || github.event.inputs.npm == 'yes'
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
Expand All @@ -32,53 +39,66 @@ jobs:
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Run postinstall scripts
run: npm rebuild && npm run prepare --if-present
run: npm ci

- name: Create tarball
run: npm pack

- name: Save tarball
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: package
path: "*.tgz"
retention-days: 1

publish:
permissions:
contents: none
id-token: write
name: Publish package
runs-on: ubuntu-latest
needs: prepare
strategy:
matrix:
registry:
- npm
include:
- registry: npm
secret: NPM_TOKEN
registry_url: https://registry.npmjs.org/
permissions:
contents: read
statuses: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
registry.npmjs.org:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
- name: Set commit status to PENDING
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: pending
context: Publish to npm
sha: ${{ github.sha }}

- name: Set up Node.js environment
if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
registry-url: ${{ matrix.registry_url }}
registry-url: https://registry.npmjs.org/

- name: Download tarball
if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: package

- name: Publish package
if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
run: npm publish *.tgz
env:
NODE_AUTH_TOKEN: ${{ secrets[matrix.secret] }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Set final commit status
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ job.status }}
context: Publish to npm
sha: ${{ github.sha }}
if: always()
2 changes: 2 additions & 0 deletions .github/workflows/package-audit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ jobs:
audit-npm:
name: NPM Audit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
Expand Down
35 changes: 25 additions & 10 deletions .github/workflows/push-tag.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,22 @@ permissions:
jobs:
build:
name: Build and test
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Check out the code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand All @@ -22,16 +36,8 @@ jobs:
node-version: lts/*
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Run postinstall scripts
run: npm rebuild && npm run prepare --if-present

- name: Run tests
run: npm test
- name: Install dependencies and run tests
run: npm cit

release:
name: Prepare the release
Expand All @@ -40,6 +46,15 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
Loading

0 comments on commit 5faee93

Please sign in to comment.