[actions] add step security runner
Varun Sharma
Jordan Harband
parent
81fc05684d
commit
6cc90a4b8d
|
|
@ -8,6 +8,12 @@ jobs:
|
||||||
outputs:
|
outputs:
|
||||||
latest: ${{ steps.set-matrix.outputs.requireds }}
|
latest: ${{ steps.set-matrix.outputs.requireds }}
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
iojs.org:443
|
||||||
|
nodejs.org:443
|
||||||
- uses: ljharb/actions/node/matrix@main
|
- uses: ljharb/actions/node/matrix@main
|
||||||
id: set-matrix
|
id: set-matrix
|
||||||
with:
|
with:
|
||||||
|
|
@ -39,6 +45,14 @@ jobs:
|
||||||
- node-version: "0.10"
|
- node-version: "0.10"
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
|
iojs.org:443
|
||||||
|
nodejs.org:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: ljharb/actions/node/install@main
|
- uses: ljharb/actions/node/install@main
|
||||||
name: 'nvm install-latest-npm'
|
name: 'nvm install-latest-npm'
|
||||||
|
|
@ -55,4 +69,8 @@ jobs:
|
||||||
needs: [nodes]
|
needs: [nodes]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: block
|
||||||
- run: 'echo tests completed'
|
- run: 'echo tests completed'
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,12 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
|
nodejs.org:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: ljharb/actions/node/install@main
|
- uses: ljharb/actions/node/install@main
|
||||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||||
|
|
@ -20,6 +26,14 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
ghcr.io:443
|
||||||
|
github.com:443
|
||||||
|
pkg-containers.githubusercontent.com:443
|
||||||
|
nodejs.org:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: ljharb/actions/node/install@main
|
- uses: ljharb/actions/node/install@main
|
||||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||||
|
|
@ -32,6 +46,12 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
|
nodejs.org:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: ljharb/actions/node/install@main
|
- uses: ljharb/actions/node/install@main
|
||||||
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
name: 'nvm install ${{ matrix.node-version }} && npm install'
|
||||||
|
|
@ -44,6 +64,10 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: check tests filenames
|
- name: check tests filenames
|
||||||
run: ./rename_test.sh --check
|
run: ./rename_test.sh --check
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,12 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
api.github.com:443
|
||||||
|
github.com:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: ljharb/rebase@master
|
- uses: ljharb/rebase@master
|
||||||
env:
|
env:
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,12 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- uses: actions/setup-node@v2
|
- uses: actions/setup-node@v2
|
||||||
with:
|
with:
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,11 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
api.github.com:443
|
||||||
- uses: ljharb/require-allow-edits@main
|
- uses: ljharb/require-allow-edits@main
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
|
||||||
|
|
@ -26,9 +26,18 @@ jobs:
|
||||||
file: nvm-exec # only runs in bash
|
file: nvm-exec # only runs in bash
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
ghcr.io:443
|
||||||
|
github.com:443
|
||||||
|
pkg-containers.githubusercontent.com:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Install shellcheck
|
- name: Install shellcheck
|
||||||
run: brew install shellcheck
|
run: brew install shellcheck
|
||||||
|
env:
|
||||||
|
HOMEBREW_NO_ANALYTICS: 1
|
||||||
- run: "shellcheck --version"
|
- run: "shellcheck --version"
|
||||||
- name: Run shellcheck on ${{ matrix.file }}
|
- name: Run shellcheck on ${{ matrix.file }}
|
||||||
run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}
|
run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}
|
||||||
|
|
@ -39,4 +48,8 @@ jobs:
|
||||||
needs: [shellcheck_matrix]
|
needs: [shellcheck_matrix]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: block
|
||||||
- run: 'echo tests completed'
|
- run: 'echo tests completed'
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,12 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
allowed-endpoints:
|
||||||
|
github.com:443
|
||||||
|
registry.npmjs.org:443
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
with:
|
with:
|
||||||
# https://github.com/actions/checkout/issues/217#issue-599945005
|
# https://github.com/actions/checkout/issues/217#issue-599945005
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue