Skip to content

ci(action): update step-security/harden-runner action to v2.10.2 #2828

ci(action): update step-security/harden-runner action to v2.10.2

ci(action): update step-security/harden-runner action to v2.10.2 #2828

Workflow file for this run

name: Test
on:
push:
# ignore branches where the release workflow runs as it already calls this one
branches-ignore:
- main
- next
- dev
pull_request:
branches:
- main
- next
- dev
workflow_call:
secrets:
SONAR_TOKEN:
required: true
permissions:
contents: read
jobs:
# ignore the push event trigger if a PR is open for the current branch
prevent-duplicate-checks:
runs-on: ubuntu-latest
steps:
- uses: insurgent-lab/is-in-pr-action@129df59687402c4a9c81a9a9e88d7448cdbba541 # v0.2.0
id: isInPR
outputs:
should-run: ${{ !(steps.isInPR.outputs.result == 'true' && github.event_name == 'push') }}
test_matrix:
strategy:
matrix:
node-version: [16, 18, 20]
runs-on: ubuntu-latest
timeout-minutes: 5
needs: prevent-duplicate-checks
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install packages
run: npm ci
- name: Audit npm signatures
run: npm audit signatures
- name: Check codestyle compliance
run: npm run lint
- name: Run tests
run: npm test
- name: Upload coverage report
if: strategy.job-index == 0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: coverage-report
path: coverage/lcov.info
sonarcloud:
runs-on: ubuntu-latest
needs:
- prevent-duplicate-checks
- test_matrix
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
permissions:
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.amazonaws.com:443
github.com:443
sonarcloud.io:443
*.sonarcloud.io:443
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Download coverage report
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: coverage-report
path: coverage/
- name: Run SonarCloud scan
uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# separate job to set as required status check in branch protection
required_check:
runs-on: ubuntu-latest
needs:
- test_matrix
- sonarcloud
if: always()
steps:
- name: All required jobs and matrix versions passed
if: ${{ !(contains(needs.*.result, 'failure')) }}
run: exit 0
- name: Some required jobs or matrix versions failed
if: ${{ contains(needs.*.result, 'failure') }}
run: exit 1