Skip to content

Commit

Permalink
Harden workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
myrotvorets-team committed Sep 3, 2024
1 parent 4a091f0 commit df2050a
Show file tree
Hide file tree
Showing 8 changed files with 213 additions and 65 deletions.
47 changes: 47 additions & 0 deletions .github/workflows/audit-signatures.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Audit Signatures

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
audit:
name: Verify Signatures and Provenance Statements
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Setup Node.js environment
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/*

- name: Install latest npm
run: npm install -g npm@latest

- name: Install dependencies
run: npm ci

- name: Run audit
run: npm audit signatures
42 changes: 20 additions & 22 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,43 @@ name: Build and Test
on:
push:
branches:
- "**"
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
build:
name: Build and test (Node ${{ matrix.node.name }})
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
strategy:
matrix:
node:
- { name: Current, version: current }
- { name: LTS, version: lts/* }
- { name: Previous LTS, version: lts/-1 }
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master
with:
node-version: ${{ matrix.node.version }}

lint:
name: Check Code Style
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
steps:
- name: Run code style check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: lint

typecheck:
name: Check Types
runs-on: ubuntu-latest
if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
steps:
- name: Run type check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: typecheck
12 changes: 12 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ on:
- master
schedule:
- cron: '24 2 * * 6'
workflow_dispatch:

permissions:
contents: read
Expand All @@ -27,6 +28,17 @@ jobs:
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443
objects.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
64 changes: 64 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Linting

on:
push:
branches:
- master
pull_request:
workflow_dispatch:

permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
lint:
name: ESLint Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Run code style check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: lint

typecheck:
name: TypeScript Check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Run type check
uses: myrotvorets/composite-actions/node-run-script@master
with:
script: typecheck
20 changes: 20 additions & 0 deletions .github/workflows/npm-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,22 @@ jobs:
prepare:
name: Prepare source code
runs-on: ubuntu-latest
permissions:
contents: read
if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Prepare source
uses: myrotvorets/composite-actions/node-prepublish@master

Expand All @@ -49,6 +63,12 @@ jobs:
secret: GITHUB_TOKEN
registry_url: https://npm.pkg.github.com/
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: audit

- name: Publish package
uses: myrotvorets/composite-actions/node-publish@master
with:
Expand Down
41 changes: 2 additions & 39 deletions .github/workflows/package-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,46 +25,9 @@ jobs:
allowed-endpoints:
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443

- name: Audit with NPM
uses: myrotvorets/composite-actions/node-package-audit@master

provenance:
name: Verify signatures and provenance statements
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
allowed-endpoints:
api.github.com:443
github.com:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443

- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Setup Node.js environment
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/*
cache: npm

- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Update npm
run: npm i -g npm

- name: Run audit
run: npm audit signatures
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29 changes: 29 additions & 0 deletions .github/workflows/push-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,31 @@ on:
permissions:
contents: read

env:
NPM_CONFIG_FUND: '0'
NPM_CONFIG_AUDIT: '0'
SUPPRESS_SUPPORT: '1'
NO_UPDATE_NOTIFIER: 'true'

jobs:
build:
name: Build and test
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- name: Build and test
uses: myrotvorets/composite-actions/build-test-nodejs@master

Expand All @@ -23,6 +43,15 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Expand Down
23 changes: 19 additions & 4 deletions .github/workflows/sonarscan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,28 @@ jobs:
name: SonarCloud Scan
runs-on: ubuntu-latest
if: |
github.event_name == 'workflow_dispatch' ||
github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' ||
github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]')
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
npm.pkg.github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
api.sonarcloud.io:443
analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
scanner.sonarcloud.io:443
sonarcloud.io:443
- name: Run SonarCloud analysis
uses: myrotvorets/composite-actions/node-sonarscan@master
with:
sonar-token: ${{ secrets.SONAR_TOKEN }}
test-script: 'test:sonarqube'

0 comments on commit df2050a

Please sign in to comment.