From 747eabe9672a38ec5a97d6d3629c6a6115bbb560 Mon Sep 17 00:00:00 2001 From: will Farrell Date: Thu, 12 Dec 2024 11:02:07 -0700 Subject: [PATCH] ci: make builds more secure --- .github/workflows/benchmarks.yml | 9 ++++++--- .github/workflows/lint.yml | 9 ++++++--- .github/workflows/release.yml | 9 ++++++--- .github/workflows/sast.yml | 11 +++++++---- .github/workflows/tests.yml | 9 ++++++--- .github/workflows/typings.yml | 9 ++++++--- .github/workflows/website-publish.yml | 9 ++++++--- .github/workflows/website-test.yml | 9 ++++++--- 8 files changed, 49 insertions(+), 25 deletions(-) diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 4562f79a7..eebe5006b 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: benchmarks: runs-on: ubuntu-latest @@ -19,14 +22,14 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies run: | - npm install + npm ci - name: Run benchmark run: npm run test:packages:benchmark > ./benchmarks-${{ matrix.node-version }}.txt diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 240f24abb..1d3caa56d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ on: - '*.*.*' pull_request: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest @@ -18,13 +21,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies run: | - npm install + npm ci - name: Linting run: npm run test:lint:ci diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a33f9245c..916e7e1c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: types: - published +permissions: + contents: read + jobs: release: name: release @@ -20,9 +23,9 @@ jobs: id-token: write steps: - name: Checkout repository - uses: actions/checkout@master + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Create .npmrc @@ -32,7 +35,7 @@ jobs: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Install dependencies run: | - npm install + npm ci #- name: Pre-Release # if: contains(${{GITHUB_REF}}, 'alpha') || contains(${{GITHUB_REF}}, 'beta') || contains(${{GITHUB_REF}}, 'rc') diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index bcf8b3811..154cb5422 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -6,6 +6,9 @@ on: schedule: - cron: '43 3 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -22,18 +25,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.27.7 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.27.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.27.7 with: category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f530b0ec6..c2dd6b54d 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: tests: name: Tests @@ -20,14 +23,14 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies run: | - npm install + npm ci - name: Unit tests run: | diff --git a/.github/workflows/typings.yml b/.github/workflows/typings.yml index 9479a3698..78bb3e296 100644 --- a/.github/workflows/typings.yml +++ b/.github/workflows/typings.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: typings: runs-on: ubuntu-latest @@ -19,14 +22,14 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies run: | - npm install + npm ci - name: Check typings run: npm run test:packages:typings diff --git a/.github/workflows/website-publish.yml b/.github/workflows/website-publish.yml index e07c29f31..669a92cd7 100644 --- a/.github/workflows/website-publish.yml +++ b/.github/workflows/website-publish.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: website: name: Publish website @@ -19,9 +22,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies @@ -33,7 +36,7 @@ jobs: run: | npm run build - name: Publish website - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./website/build diff --git a/.github/workflows/website-test.yml b/.github/workflows/website-test.yml index a803d6bce..00dde5655 100644 --- a/.github/workflows/website-test.yml +++ b/.github/workflows/website-test.yml @@ -8,17 +8,20 @@ on: branches: - 'main' +permissions: + contents: read + jobs: website: name: Test website runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: - node-version: 18.x + node-version: 20.x - name: Install dependencies working-directory: website run: |