Update workflows

.github/workflows/codeql-analysis.yml

@@ -7,9 +7,6 @@ on:
   pull_request:
     branches:
       - master
-    paths:
-      - "lib/**.ts"
-      - ".github/workflows/codeql-analysis.yml"
   schedule:
     - cron: '24 2 * * 6'
 

.github/workflows/dependency-review.yml

@@ -10,17 +10,25 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     name: Review Dependencies
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
+          disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.deps.dev:443
             api.github.com:443
+            api.scorecards.dev:443
             github.com:443
 
       - name: Check out the source code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Review dependencies
         uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
+        with:
+          comment-summary-in-pr: true

.github/workflows/package-audit.yml

@@ -18,5 +18,53 @@ jobs:
     name: NPM Audit
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+
       - name: Audit with NPM
         uses: myrotvorets/composite-actions/node-package-audit@master
+
+  provenance:
+    name: Verify signatures and provenance statements
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            registry.npmjs.org:443
+            tuf-repo-cdn.sigstore.dev:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: lts/*
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update npm
+        run: npm i -g npm
+
+      - name: Run audit
+        run: npm audit signatures
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -28,7 +28,7 @@
     "@myrotvorets/eslint-config-myrotvorets-ts": "^2.24.0",
     "@types/chai": "^4.3.11",
     "@types/mocha": "^10.0.6",
-    "@types/node": ">= 20.11.16",
+    "@types/node": "^20.11.16",
     "c8": "^9.1.0",
     "chai": "^5.0.3",
     "eslint-formatter-gha": "^1.4.3",