Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden workflows #787

Merged
merged 1 commit into from
Sep 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/workflows/audit-signatures.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Audit Signatures

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
audit:
name: Verify Signatures and Provenance Statements
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443

- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Setup Node.js environment
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/*

- name: Install latest npm
run: npm install -g npm@latest

- name: Install dependencies
run: npm ci

- name: Run audit
run: npm audit signatures
22 changes: 20 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,42 @@ name: Build and Test
on:
push:
branches:
- "**"
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
build:
name: Build and test (Node ${{ matrix.node.name }})
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
strategy:
matrix:
node:
- { name: Current, version: current }
- { name: LTS, version: lts/* }
- { name: Previous LTS, version: lts/-1 }
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master
with:
Expand Down
15 changes: 12 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,9 @@ on:
pull_request:
branches:
- master
paths:
- "lib/**.ts"
- ".github/workflows/codeql-analysis.yml"
schedule:
- cron: '24 2 * * 6'
workflow_dispatch:

permissions:
contents: read
Expand All @@ -30,6 +28,17 @@ jobs:
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443
objects.githubusercontent.com:443

- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
64 changes: 64 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Linting

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
lint:
name: ESLint Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Run code style check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: lint

typecheck:
name: TypeScript Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Run type check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: typecheck
29 changes: 29 additions & 0 deletions .github/workflows/npm-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,22 @@ jobs:
prepare:
name: Prepare source code
runs-on: ubuntu-latest
permissions:
contents: read
if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Prepare source
uses: myrotvorets/composite-actions/node-prepublish@master

Expand All @@ -49,6 +63,21 @@ jobs:
secret: GITHUB_TOKEN
registry_url: https://npm.pkg.github.com/
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
fulcio.sigstore.dev:443
registry.npmjs.org:443
rekor.sigstore.dev:443
npm.pkg.github.com:443

- name: Publish package
uses: myrotvorets/composite-actions/node-publish@master
with:
Expand Down
46 changes: 2 additions & 44 deletions .github/workflows/package-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,51 +25,9 @@ jobs:
allowed-endpoints:
api.github.com:443
github.com:443
npm.pkg.github.com:443
pkg-npm.githubusercontent.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Audit with NPM
uses: myrotvorets/composite-actions/node-package-audit@master

provenance:
name: Verify signatures and provenance statements
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints:
api.github.com:443
github.com:443
npm.pkg.github.com:443
pkg-npm.githubusercontent.com:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443

- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Setup Node.js environment
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/*
registry-url: https://npm.pkg.github.com
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Update npm
run: npm i -g npm

- name: Run audit
run: npm audit signatures
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29 changes: 29 additions & 0 deletions .github/workflows/push-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,31 @@ on:
permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
build:
name: Build and test
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master

Expand All @@ -23,6 +43,15 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443

- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
24 changes: 20 additions & 4 deletions .github/workflows/sonarscan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,33 @@ permissions:
contents: read

env:
SONARSCANNER: "true"
SONARSCANNER: 'true'

jobs:
build:
name: SonarCloud Scan
runs-on: ubuntu-latest
if: |
github.event_name == 'workflow_dispatch' ||
github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' ||
github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]')
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
npm.pkg.github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
api.sonarcloud.io:443
analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
scanner.sonarcloud.io:443
sonarcloud.io:443

- name: Run SonarCloud analysis
uses: myrotvorets/composite-actions/node-sonarscan@master
with:
Expand Down