[StepSecurity] ci: Harden GitHub Actions #8
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
pull_request: | |
paths: | |
- 'ee/vulnerability-dashboard/**' | |
- '.github/workflows/test-vulnerability-dashboard-changes.yml' | |
# This allows a subsequently queued workflow run to interrupt previous runs | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
cancel-in-progress: true | |
jobs: | |
build: | |
permissions: | |
contents: read | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [16.x] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
# Set the Node.js version | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
with: | |
node-version: ${{ matrix.node-version }} | |
# Now start building! | |
# > …but first, get a little crazy for a sec and delete the top-level package.json file | |
# > i.e. the one used by the Fleet server. This is because require() in node will go | |
# > hunting in ancestral directories for missing dependencies, and since some of the | |
# > bundled transpiler tasks sniff for package availability using require(), this trips | |
# > up when it encounters another Node universe in the parent directory. | |
- run: rm -rf package.json package-lock.json node_modules/ | |
# > Turns out there's a similar issue with how eslint plugins are looked up, so we | |
# > delete the top level .eslintrc file too. | |
- run: rm -f .eslintrc.js | |
# Get dependencies (including dev deps) | |
- run: cd ee/vulnerability-dashboard/ && npm install | |
# Run sanity checks | |
- run: cd ee/vulnerability-dashboard/ && npm test | |
# Compile assets | |
- run: cd ee/vulnerability-dashboard/ && npm run build-for-prod |