ci: update workflows

.github/workflows/build.yml

@@ -6,31 +6,42 @@ on:
       - '**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    name: 'Build and Test (Node: ${{ matrix.node.name }})'
     runs-on: ubuntu-latest
-    if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         node:
-          - '14'
-          - '16'
-          - '18'
-    name: Build and Test (Node ${{ matrix.node }})
+          - name: LTS
+            version: lts/*
+          - name: Previous LTS
+            version: lts/-1
+          - name: Current
+            version: node
     steps:
       - name: Check out the code
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Set up Node.js environment
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: ${{ matrix.node }}
+          node-version: ${{ matrix.node.version }}
           cache: npm
 
       - name: Install dependencies
         run: npm ci --ignore-scripts
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_FUND: '0'
+          NPM_CONFIG_AUDIT: '0'
+          SUPPRESS_SUPPORT: '1'
+          NO_UPDATE_NOTIFIER: 'true'
 
       - name: Run postinstall scripts
         run: npm rebuild && npm run prepare --if-present

.github/workflows/codeql.yml

@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "35 21 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/dependency-review.yml

@@ -0,0 +1,34 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
+
+      - name: Check out the source code
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Review dependencies
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        with:
+          comment-summary-in-pr: true

.github/workflows/npm-publish.yml

@@ -11,10 +11,15 @@ on:
         description: Publish to NPM?
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare the source code
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
     steps:
       - name: Checkout source

.github/workflows/package-audit.yml

@@ -0,0 +1,39 @@
+name: Package Audit
+
+on:
+  push:
+    paths:
+      - package.json
+      - package-lock.json
+      - .github/workflows/package-audit.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit-npm:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: lts/*
+
+      - name: Run audit
+        run: npm audit --production

.github/workflows/push-tag.yml

@@ -5,10 +5,15 @@ on:
     tags:
       - "*"
 
+permissions:
+  contents: read
+
 jobs:
   build:
-    name: Build
+    name: Build and test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Check out the code
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
@@ -27,33 +32,22 @@ jobs:
       - name: Run postinstall scripts
         run: npm rebuild && npm run prepare --if-present
 
+      - name: Run tests
+        run: npm test
+
   release:
-    permissions:
-      contents: read
     name: Prepare the release
     runs-on: ubuntu-latest
     needs: build
-
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - name: Fetch tags
-        run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-
-      - name: Get release description
-        id: release_params
-        run: |
-          SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")"
-          BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")"
-          echo "::set-output name=subject::${SUBJECT}"
-          echo "::set-output name=body::${BODY}"
-
       - name: Create a release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        with:
+          generate_release_notes: true
         env:
           GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ steps.release_params.subject }}
-          body: ${{ steps.release_params.body }}