From 7b83b88eb51e10ae97b6b61b989eeaf244af553e Mon Sep 17 00:00:00 2001
From: Myrotvorets <support@myrotvorets.center>
Date: Wed, 27 Mar 2024 03:06:41 +0200
Subject: [PATCH] Update workflows

---
 .github/workflows/dependency-review.yml |  3 +-
 .github/workflows/package-audit.yml     | 55 +++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 3272c50c..935adc71 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -22,10 +22,11 @@ jobs:
           allowed-endpoints: >
             api.deps.dev:443
             api.github.com:443
+            api.scorecards.dev:443
             github.com:443
 
       - name: Check out the source code
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Review dependencies
         uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
index 4d5b70d7..a54bde5f 100644
--- a/.github/workflows/package-audit.yml
+++ b/.github/workflows/package-audit.yml
@@ -2,6 +2,8 @@ name: Package Audit
 
 on:
   push:
+    branches:
+      - '**'
     paths:
       - package.json
       - package-lock.json
@@ -16,5 +18,58 @@ jobs:
     name: NPM Audit
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            npm.pkg.github.com:443
+            pkg-npm.githubusercontent.com:443
+            registry.npmjs.org:443
+
       - name: Audit with NPM
         uses: myrotvorets/composite-actions/node-package-audit@master
+
+  provenance:
+    name: Verify signatures and provenance statements
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          allowed-endpoints:
+            api.github.com:443
+            github.com:443
+            npm.pkg.github.com:443
+            pkg-npm.githubusercontent.com:443
+            registry.npmjs.org:443
+            tuf-repo-cdn.sigstore.dev:443
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: lts/*
+          registry-url: https://npm.pkg.github.com
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update npm
+        run: npm i -g npm
+
+      - name: Run audit
+        run: npm audit signatures
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}