From afb06098b6a1e1ee2858ec2bd9cc07c47bc91fb4 Mon Sep 17 00:00:00 2001 From: Mihail Mihov Date: Tue, 29 Oct 2024 11:28:05 +0200 Subject: [PATCH] ci: Update per Q3 audit findings Signed-off-by: Mihail Mihov --- .github/dependabot.yml | 6 ++++++ .github/workflows/flow-pr-title-check.yaml | 5 +++++ .github/workflows/flow-pull-request-checks.yaml | 15 +++++++++++++++ .github/workflows/flow-semantic-release.yml | 9 +++++++++ .github/workflows/publish-npm-package.yaml | 7 ++++++- 5 files changed, 41 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 26f786d5..5045d6e3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,3 +29,9 @@ updates: directory: /test/smoke schedule: interval: daily + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 \ No newline at end of file diff --git a/.github/workflows/flow-pr-title-check.yaml b/.github/workflows/flow-pr-title-check.yaml index 42945054..5508111e 100644 --- a/.github/workflows/flow-pr-title-check.yaml +++ b/.github/workflows/flow-pr-title-check.yaml @@ -42,6 +42,11 @@ jobs: name: Title Check runs-on: local-node-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Check PR Title uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0 env: diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml index b89d9afa..96d0ad48 100644 --- a/.github/workflows/flow-pull-request-checks.yaml +++ b/.github/workflows/flow-pull-request-checks.yaml @@ -48,6 +48,11 @@ jobs: node-version: [18.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -86,6 +91,11 @@ jobs: node-version: [18.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -126,6 +136,11 @@ jobs: node-version: [18.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/flow-semantic-release.yml b/.github/workflows/flow-semantic-release.yml index 32ff78dd..a915839f 100644 --- a/.github/workflows/flow-semantic-release.yml +++ b/.github/workflows/flow-semantic-release.yml @@ -11,16 +11,25 @@ jobs: pull-requests: write runs-on: local-node-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Configure Node JS uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 20 + - name: Clean Install run: npm ci + - name: Build Source run: npm run build + - name: Run semantic-release run: npx semantic-release env: diff --git a/.github/workflows/publish-npm-package.yaml b/.github/workflows/publish-npm-package.yaml index 1d08ad28..196b068d 100644 --- a/.github/workflows/publish-npm-package.yaml +++ b/.github/workflows/publish-npm-package.yaml @@ -14,11 +14,16 @@ jobs: publish-npm-package: runs-on: local-node-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Use Node.js 20.x - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: '20.x' registry-url: 'https://registry.npmjs.org'