Merge pull request #1297 from myrotvorets/update-workflows

Update workflows
myrotvorets · Mar 27, 2024 · ea7463c · ea7463c
2 parents 42522b6 + 7b83b88
commit ea7463c
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,10 +22,11 @@ jobs:
           allowed-endpoints: >
             api.deps.dev:443
             api.github.com:443
+            api.scorecards.dev:443
             github.com:443
 
       - name: Check out the source code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Review dependencies
         uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5

diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
@@ -2,6 +2,8 @@ name: Package Audit
 
 on:
   push:
+    branches:
+      - '**'
     paths:
       - package.json
       - package-lock.json
@@ -16,5 +18,58 @@ jobs:
     name: NPM Audit
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            npm.pkg.github.com:443
+            pkg-npm.githubusercontent.com:443
+            registry.npmjs.org:443
+
       - name: Audit with NPM
         uses: myrotvorets/composite-actions/node-package-audit@master
+
+  provenance:
+    name: Verify signatures and provenance statements
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            npm.pkg.github.com:443
+            pkg-npm.githubusercontent.com:443
+            registry.npmjs.org:443
+            tuf-repo-cdn.sigstore.dev:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: lts/*
+          registry-url: https://npm.pkg.github.com
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update npm
+        run: npm i -g npm
+
+      - name: Run audit
+        run: npm audit signatures
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}