diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9b2192a..051a119 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,9 +2,11 @@ name: "CodeQL" on: push: - branches: [ "master" ] + branches: + - master pull_request: - branches: [ "master" ] + branches: + - master schedule: - cron: "30 4 * * 0" @@ -16,26 +18,25 @@ jobs: actions: read contents: read security-events: write - strategy: fail-fast: false matrix: - language: [ javascript ] - + language: + - javascript steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3 + uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3 + uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3 + uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..935adc7 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,34 @@ +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Review Dependencies + permissions: + contents: read + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.scorecards.dev:443 + github.com:443 + + - name: Check out the source code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Review dependencies + uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5 + with: + comment-summary-in-pr: true diff --git a/.github/workflows/dispatch.yml b/.github/workflows/dispatch.yml index 59424d0..4cf6689 100644 --- a/.github/workflows/dispatch.yml +++ b/.github/workflows/dispatch.yml @@ -2,13 +2,14 @@ name: Dispatch Handler on: repository_dispatch: - type: + types: - ci jobs: dispatcher: runs-on: ubuntu-latest - + permissions: + contents: read steps: - name: Payload params run: | diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml new file mode 100644 index 0000000..14dba7f --- /dev/null +++ b/.github/workflows/package-audit.yml @@ -0,0 +1,60 @@ +name: Package Audit + +on: + push: + branches: + - '**' + paths: + - package.json + - package-lock.json + - .github/workflows/package-audit.yml + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit-npm: + name: NPM Audit + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Node.js environment + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: lts/* + + - name: Run audit + run: npm audit --omit=dev + + provenance: + name: Verify signatures and provenance statements + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Node.js environment + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: lts/* + registry-url: https://npm.pkg.github.com + cache: npm + + - name: Install dependencies + run: npm ci --ignore-scripts + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update npm + run: npm i -g npm + + - name: Run audit + run: npm audit signatures + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 56c5898..22fa8d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,11 +7,15 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} + permissions: + contents: read steps: - name: Check out the source code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -22,9 +26,6 @@ jobs: node-version-file: 'package.json' cache: npm - - name: Update npm - run: npm i -g npm@latest - - name: Install dependencies run: npm ci @@ -34,11 +35,12 @@ jobs: test: name: Test runs-on: ubuntu-latest + permissions: + contents: read if: | github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' || github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]') - steps: - name: Check out the source code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1