Merge pull request #46 from onebeyond/feat/harden-runner-policies

Updated harden runner policies
onebeyond · Nov 21, 2023 · 819f087 · 819f087
2 parents 94acfff + 45d4b86
commit 819f087
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 29 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -1,4 +1,4 @@
-name: Node.js Publish
+name: NPM Publish
 
 on:
   release:
@@ -14,19 +14,31 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      - name: 🔐 Harden Runner
+        uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+            nodejs.org:443
+      - name: ⚙️ Git Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: ⚙️ Install Node@20
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org
-      - run: npm install -g npm
-      - run: npm ci
-      - name: Publish
+      - name: ⚙️ Install NPM last version
+        run: npm install -g npm
+      - name: ⚙️ Install dependencies
+        run: npm ci
+      - name: 📦 Publish in NPM registry
         run: |
           npm publish --provenance --ignore-scripts --access public
         env:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,15 +16,25 @@ jobs:
       matrix:
         node-version: [16.x, 18.x, 19.x, 20.x]
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      - name: 🔐 Harden Runner
+        uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+            api.github.com:443
+            nodejs.org:443
+      - name: ⚙️ Git Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: ⚙️ Install Node versions
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npm run lint
-      - run: npm run test
+      - name: ⚙️ Install dependencies
+        run: npm ci
+      - name: 👀 Lint files
+        run: npm run lint
+      - name: 🧪 Run tests
+        run: npm run test
diff --git a/.github/workflows/github_registry.yml b/.github/workflows/github_registry.yml
@@ -12,21 +12,31 @@ jobs:
       contents: read
       packages: write
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      - name: 🔐 Harden Runner
+        uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      # Setup .npmrc file to publish to GitHub Packages
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            npm.pkg.github.com:443
+            registry.npmjs.org:443
+            api.github.com:443
+            nodejs.org:443
+      - name: ⚙️ Git Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: ⚙️ Install Node@20 and .npmrc for GitHub Packages 
+        # Setup .npmrc file to publish to GitHub Packages
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
-          node-version: '18.x'
+          node-version: '20.x'
           registry-url: 'https://npm.pkg.github.com'
           # Defaults to the user or organization that owns the workflow file
           scope: '@onebeyond'
-      - run: npm ci
-      - run: |
+      - name: ⚙️ Install dependencies
+        run: npm ci
+      - name: 📦 Publish in GitHub Packages
+        run: |
           npm config set scope "@onebeyond"
           npm publish
         env: