diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index a1d6ef7a..935adc71 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,17 +10,25 @@ jobs: dependency-review: runs-on: ubuntu-latest name: Review Dependencies + permissions: + contents: read + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: + disable-sudo: true egress-policy: block allowed-endpoints: > + api.deps.dev:443 api.github.com:443 + api.scorecards.dev:443 github.com:443 - name: Check out the source code - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Review dependencies uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5 + with: + comment-summary-in-pr: true diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 1a3a30ed..b558455f 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -18,5 +18,54 @@ jobs: name: NPM Audit runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + registry.npmjs.org:443 + - name: Audit with NPM uses: myrotvorets/composite-actions/node-package-audit@master + + provenance: + name: Verify signatures and provenance statements + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + allowed-endpoints: + api.github.com:443 + github.com:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Node.js environment + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: lts/* + registry-url: https://npm.pkg.github.com + cache: npm + + - name: Install dependencies + run: npm ci --ignore-scripts + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update npm + run: npm i -g npm + + - name: Run audit + run: npm audit signatures + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/package-lock.json b/package-lock.json index 455fcc92..1ca82160 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,7 @@ "@myrotvorets/eslint-config-myrotvorets-ts": "^2.24.0", "@types/chai": "^4.3.11", "@types/mocha": "^10.0.6", - "@types/node": ">= 20.11.16", + "@types/node": "^20.11.16", "c8": "^9.1.0", "chai": "^5.0.3", "eslint-formatter-gha": "^1.4.3", diff --git a/package.json b/package.json index a04b41c6..e29f3da0 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "@myrotvorets/eslint-config-myrotvorets-ts": "^2.24.0", "@types/chai": "^4.3.11", "@types/mocha": "^10.0.6", - "@types/node": ">= 20.11.16", + "@types/node": "^20.11.16", "c8": "^9.1.0", "chai": "^5.0.3", "eslint-formatter-gha": "^1.4.3",