From 6d7b523b5a3a85b77dbe820b51c84a926e062a29 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:09:11 +0200 Subject: [PATCH 1/6] chore: updated cd pipeline - Upgraded dependency - Added egress-policy based - Rename the pipeline - added Emojis and information --- .github/workflows/cd.yml | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index b623dba..f314fa7 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,4 +1,4 @@ -name: Node.js Publish +name: NPM Publish on: release: @@ -14,19 +14,29 @@ jobs: contents: read id-token: write steps: - - name: Harden Runner - uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0 + - name: ๐Ÿ” Harden Runner + uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: โš™๏ธ Git Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: โš™๏ธ Install Node@20 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 20 registry-url: https://registry.npmjs.org - - run: npm install -g npm - - run: npm ci - - name: Publish + - name: โš™๏ธ Install NPM last version + run: npm install -g npm + - name: โš™๏ธ Install dependencies + run: npm ci + - name: ๐Ÿ“ฆ Publish in NPM registry run: | npm publish --provenance --ignore-scripts --access public env: From d97d1c63a8506fd88f65c0da07824cb010e92a1a Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:09:48 +0200 Subject: [PATCH 2/6] chore: updated ci pipeline - Upgraded dependency - Added egress-policy based - added Emojis and information --- .github/workflows/ci.yml | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1223bb4..8459cfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,15 +16,23 @@ jobs: matrix: node-version: [16.x, 18.x, 19.x, 20.x] steps: - - name: Harden Runner - uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0 + - name: ๐Ÿ” Harden Runner + uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + registry.npmjs.org:443 + - name: โš™๏ธ Git Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: โš™๏ธ Install Node versions + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: ${{ matrix.node-version }} - - run: npm ci - - run: npm run lint - - run: npm run test + - name: โš™๏ธ Install dependencies + run: npm ci + - name: ๐Ÿ‘€ Lint files + run: npm run lint + - name: ๐Ÿงช Run tests + run: npm run test From 6b9d3e42cd232597ebf3036c48579b28bef50ede Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:10:19 +0200 Subject: [PATCH 3/6] chore: updated Github registry pipeline - Upgraded dependency - Added egress-policy based - added Emojis and information --- .github/workflows/github_registry.yml | 28 +++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/github_registry.yml b/.github/workflows/github_registry.yml index 8b51cb6..7532a69 100644 --- a/.github/workflows/github_registry.yml +++ b/.github/workflows/github_registry.yml @@ -12,21 +12,29 @@ jobs: contents: read packages: write steps: - - name: Harden Runner - uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0 + - name: ๐Ÿ” Harden Runner + uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - # Setup .npmrc file to publish to GitHub Packages - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + npm.pkg.github.com:443 + registry.npmjs.org:443 + - name: โš™๏ธ Git Checkout + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: โš™๏ธ Install Node@20 and .npmrc for GitHub Packages + # Setup .npmrc file to publish to GitHub Packages + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: - node-version: '18.x' + node-version: '20.x' registry-url: 'https://npm.pkg.github.com' # Defaults to the user or organization that owns the workflow file scope: '@onebeyond' - - run: npm ci - - run: | + - name: โš™๏ธ Install dependencies + run: npm ci + - name: ๐Ÿ“ฆ Publish in GitHub Packages + run: | npm config set scope "@onebeyond" npm publish env: From f5fe3c045f5668afd88003bc4cc0ff18a0ae57d9 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:26:12 +0200 Subject: [PATCH 4/6] fix: typo --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f314fa7..22e0a79 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -22,6 +22,7 @@ jobs: allowed-endpoints: > api.github.com:443 fulcio.sigstore.dev:443 + rekor.sigstore.dev:443 github.com:443 nodejs.org:443 registry.npmjs.org:443 From 119b61bf2e7b64fb90d19f105d8f34f4aba0eea7 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:40:31 +0200 Subject: [PATCH 5/6] fix: added missing domain in policy --- .github/workflows/cd.yml | 1 + .github/workflows/ci.yml | 1 + .github/workflows/github_registry.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 22e0a79..67e1db0 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -24,6 +24,7 @@ jobs: fulcio.sigstore.dev:443 rekor.sigstore.dev:443 github.com:443 + api.github.com:443 nodejs.org:443 registry.npmjs.org:443 - name: โš™๏ธ Git Checkout diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8459cfa..d64bb43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,6 +24,7 @@ jobs: allowed-endpoints: > github.com:443 registry.npmjs.org:443 + api.github.com:443 - name: โš™๏ธ Git Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: โš™๏ธ Install Node versions diff --git a/.github/workflows/github_registry.yml b/.github/workflows/github_registry.yml index 7532a69..1eacf8c 100644 --- a/.github/workflows/github_registry.yml +++ b/.github/workflows/github_registry.yml @@ -21,6 +21,7 @@ jobs: github.com:443 npm.pkg.github.com:443 registry.npmjs.org:443 + api.github.com:443 - name: โš™๏ธ Git Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: โš™๏ธ Install Node@20 and .npmrc for GitHub Packages From 45d4b86017da1b818e20feaf9aeba6cd3a4636f1 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 20 Apr 2023 14:43:29 +0200 Subject: [PATCH 6/6] fix: added missing domain nodejs.org:443 in policy --- .github/workflows/cd.yml | 2 +- .github/workflows/ci.yml | 1 + .github/workflows/github_registry.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 67e1db0..97156c1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -24,9 +24,9 @@ jobs: fulcio.sigstore.dev:443 rekor.sigstore.dev:443 github.com:443 - api.github.com:443 nodejs.org:443 registry.npmjs.org:443 + nodejs.org:443 - name: โš™๏ธ Git Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: โš™๏ธ Install Node@20 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d64bb43..15b04e6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,6 +25,7 @@ jobs: github.com:443 registry.npmjs.org:443 api.github.com:443 + nodejs.org:443 - name: โš™๏ธ Git Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: โš™๏ธ Install Node versions diff --git a/.github/workflows/github_registry.yml b/.github/workflows/github_registry.yml index 1eacf8c..addd222 100644 --- a/.github/workflows/github_registry.yml +++ b/.github/workflows/github_registry.yml @@ -22,6 +22,7 @@ jobs: npm.pkg.github.com:443 registry.npmjs.org:443 api.github.com:443 + nodejs.org:443 - name: โš™๏ธ Git Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: โš™๏ธ Install Node@20 and .npmrc for GitHub Packages