diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index edf2316..009b610 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,17 +6,24 @@ on: - '**' workflow_dispatch: +permissions: + contents: read + jobs: build: + name: 'Build and Test (Node: ${{ matrix.node.name }})' runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} + permissions: + contents: read strategy: matrix: node: - - '14' - - '16' - - '18' - name: Build and Test (Node ${{ matrix.node }}) + - name: LTS + version: lts/* + - name: Previous LTS + version: lts/-1 + - name: Current + version: node steps: - name: Check out the code uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 @@ -24,13 +31,17 @@ jobs: - name: Set up Node.js environment uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: - node-version: ${{ matrix.node }} + node-version: ${{ matrix.node.version }} cache: npm - name: Install dependencies run: npm ci --ignore-scripts env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' - name: Run postinstall scripts run: npm rebuild && npm run prepare --if-present diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 95691a3..b09a51d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "35 21 * * 6" +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..7dde4b3 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,34 @@ +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Review Dependencies + permissions: + contents: read + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + + - name: Check out the source code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + + - name: Review dependencies + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + with: + comment-summary-in-pr: true diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 74af536..120da2c 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -11,10 +11,15 @@ on: description: Publish to NPM? required: true +permissions: + contents: read + jobs: prepare: name: Prepare the source code runs-on: ubuntu-latest + permissions: + contents: read if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' steps: - name: Checkout source diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml new file mode 100644 index 0000000..ae60793 --- /dev/null +++ b/.github/workflows/package-audit.yml @@ -0,0 +1,39 @@ +name: Package Audit + +on: + push: + paths: + - package.json + - package-lock.json + - .github/workflows/package-audit.yml + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit-npm: + name: NPM Audit + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + registry.npmjs.org:443 + + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + + - name: Setup Node.js environment + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: lts/* + + - name: Run audit + run: npm audit --production diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index f2a84b2..905356e 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -5,10 +5,15 @@ on: tags: - "*" +permissions: + contents: read + jobs: build: - name: Build + name: Build and test runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out the code uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 @@ -27,33 +32,22 @@ jobs: - name: Run postinstall scripts run: npm rebuild && npm run prepare --if-present + - name: Run tests + run: npm test + release: - permissions: - contents: read name: Prepare the release runs-on: ubuntu-latest needs: build - + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - name: Fetch tags - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - - - name: Get release description - id: release_params - run: | - SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")" - BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")" - echo "::set-output name=subject::${SUBJECT}" - echo "::set-output name=body::${BODY}" - - name: Create a release - uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 + uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5 + with: + generate_release_notes: true env: GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: ${{ steps.release_params.subject }} - body: ${{ steps.release_params.body }}