[actions] add step security runner

Varun Sharma 2021-11-22 07:20:50 -08:00 committed by Jordan Harband
parent 81fc05684d
commit 6cc90a4b8d
No known key found for this signature in database
GPG Key ID: 9F6A681E35EF8B56
7 changed files with 78 additions and 0 deletions

View File

@ -8,6 +8,12 @@ jobs:
outputs:
latest: ${{ steps.set-matrix.outputs.requireds }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
iojs.org:443
nodejs.org:443
- uses: ljharb/actions/node/matrix@main
id: set-matrix
with:
@ -39,6 +45,14 @@ jobs:
- node-version: "0.10"
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
iojs.org:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@v2
- uses: ljharb/actions/node/install@main
name: 'nvm install-latest-npm'
@ -55,4 +69,8 @@ jobs:
needs: [nodes]
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
egress-policy: block
- run: 'echo tests completed'

View File

@ -8,6 +8,12 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@v2
- uses: ljharb/actions/node/install@main
name: 'nvm install ${{ matrix.node-version }} && npm install'
@ -20,6 +26,14 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v1
with:
allowed-endpoints:
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@v2
- uses: ljharb/actions/node/install@main
name: 'nvm install ${{ matrix.node-version }} && npm install'
@ -32,6 +46,12 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@v2
- uses: ljharb/actions/node/install@main
name: 'nvm install ${{ matrix.node-version }} && npm install'
@ -44,6 +64,10 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
- uses: actions/checkout@v2
- name: check tests filenames
run: ./rename_test.sh --check

View File

@ -11,6 +11,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
api.github.com:443
github.com:443
- uses: actions/checkout@v2
- uses: ljharb/rebase@master
env:

View File

@ -8,6 +8,12 @@ jobs:
contents: read
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:

View File

@ -11,6 +11,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
api.github.com:443
- uses: ljharb/require-allow-edits@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

View File

@ -26,9 +26,18 @@ jobs:
file: nvm-exec # only runs in bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- uses: actions/checkout@v2
- name: Install shellcheck
run: brew install shellcheck
env:
HOMEBREW_NO_ANALYTICS: 1
- run: "shellcheck --version"
- name: Run shellcheck on ${{ matrix.file }}
run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}
@ -39,4 +48,8 @@ jobs:
needs: [shellcheck_matrix]
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
egress-policy: block
- run: 'echo tests completed'

View File

@ -11,6 +11,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@v1
with:
allowed-endpoints:
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@v2
with:
# https://github.com/actions/checkout/issues/217#issue-599945005