[actions] add step security runner
parent
81fc05684d
commit
6cc90a4b8d
|
@ -8,6 +8,12 @@ jobs:
|
|||
outputs:
|
||||
latest: ${{ steps.set-matrix.outputs.requireds }}
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
iojs.org:443
|
||||
nodejs.org:443
|
||||
- uses: ljharb/actions/node/matrix@main
|
||||
id: set-matrix
|
||||
with:
|
||||
|
@ -39,6 +45,14 @@ jobs:
|
|||
- node-version: "0.10"
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
iojs.org:443
|
||||
nodejs.org:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: ljharb/actions/node/install@main
|
||||
name: 'nvm install-latest-npm'
|
||||
|
@ -55,4 +69,8 @@ jobs:
|
|||
needs: [nodes]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
egress-policy: block
|
||||
- run: 'echo tests completed'
|
||||
|
|
|
@ -8,6 +8,12 @@ jobs:
|
|||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
nodejs.org:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: ljharb/actions/node/install@main
|
||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||
|
@ -20,6 +26,14 @@ jobs:
|
|||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
ghcr.io:443
|
||||
github.com:443
|
||||
pkg-containers.githubusercontent.com:443
|
||||
nodejs.org:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: ljharb/actions/node/install@main
|
||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||
|
@ -32,6 +46,12 @@ jobs:
|
|||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
nodejs.org:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: ljharb/actions/node/install@main
|
||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||
|
@ -44,6 +64,10 @@ jobs:
|
|||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
- uses: actions/checkout@v2
|
||||
- name: check tests filenames
|
||||
run: ./rename_test.sh --check
|
||||
|
|
|
@ -11,6 +11,12 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
api.github.com:443
|
||||
github.com:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: ljharb/rebase@master
|
||||
env:
|
||||
|
|
|
@ -8,6 +8,12 @@ jobs:
|
|||
contents: read
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/setup-node@v2
|
||||
with:
|
||||
|
|
|
@ -11,6 +11,11 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
api.github.com:443
|
||||
- uses: ljharb/require-allow-edits@main
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -26,9 +26,18 @@ jobs:
|
|||
file: nvm-exec # only runs in bash
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
ghcr.io:443
|
||||
github.com:443
|
||||
pkg-containers.githubusercontent.com:443
|
||||
- uses: actions/checkout@v2
|
||||
- name: Install shellcheck
|
||||
run: brew install shellcheck
|
||||
env:
|
||||
HOMEBREW_NO_ANALYTICS: 1
|
||||
- run: "shellcheck --version"
|
||||
- name: Run shellcheck on ${{ matrix.file }}
|
||||
run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}
|
||||
|
@ -39,4 +48,8 @@ jobs:
|
|||
needs: [shellcheck_matrix]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
egress-policy: block
|
||||
- run: 'echo tests completed'
|
||||
|
|
|
@ -11,6 +11,12 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@v1
|
||||
with:
|
||||
allowed-endpoints:
|
||||
github.com:443
|
||||
registry.npmjs.org:443
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
# https://github.com/actions/checkout/issues/217#issue-599945005
|
||||
|
|
Loading…
Reference in New Issue