Skip to content

Commit cc9b231

Browse files
authored
Merge pull request #19 from step-security-bot/stepsecurity_remediation_1717116847
2 parents 83824ee + a17b501 commit cc9b231

File tree

6 files changed

+149
-5
lines changed

6 files changed

+149
-5
lines changed

.github/dependabot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: github-actions
4+
directory: /
5+
schedule:
6+
interval: daily
7+
8+
- package-ecosystem: npm
9+
directory: /
10+
schedule:
11+
interval: daily

.github/workflows/codeql.yml

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ on:
2323
workflow_dispatch:
2424

2525

26+
permissions:
27+
contents: read
28+
2629
jobs:
2730
analyze:
2831
name: Analyze
@@ -48,14 +51,19 @@ jobs:
4851
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
4952

5053
steps:
54+
- name: Harden Runner
55+
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
56+
with:
57+
egress-policy: audit
58+
5159
- name: Checkout repository
52-
uses: actions/checkout@v4
60+
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
5361
with:
5462
fetch-depth: 1
5563

5664
# Initializes the CodeQL tools for scanning.
5765
- name: Initialize CodeQL
58-
uses: github/codeql-action/init@v3
66+
uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
5967
with:
6068
languages: ${{ matrix.language }}
6169

@@ -84,7 +92,7 @@ jobs:
8492
yarn preship
8593
8694
- name: Perform CodeQL Analysis
87-
uses: github/codeql-action/analyze@v3
95+
uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
8896
with:
8997
category: "/language:${{matrix.language}}"
9098

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Dependency Review Action
2+
#
3+
# This Action will scan dependency manifest files that change as part of a Pull Request,
4+
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+
# Once installed, if the workflow run is marked as required,
6+
# PRs introducing known-vulnerable packages will be blocked from merging.
7+
#
8+
# Source repository: https://github.com/actions/dependency-review-action
9+
name: 'Dependency Review'
10+
on: [pull_request]
11+
12+
permissions:
13+
contents: read
14+
15+
jobs:
16+
dependency-review:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Harden Runner
20+
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
21+
with:
22+
egress-policy: audit
23+
24+
- name: 'Checkout Repository'
25+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
26+
- name: 'Dependency Review'
27+
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/workflows/scorecards.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
# This workflow uses actions that are not certified by GitHub. They are provided
2+
# by a third-party and are governed by separate terms of service, privacy
3+
# policy, and support documentation.
4+
5+
name: Scorecard supply-chain security
6+
on:
7+
# For Branch-Protection check. Only the default branch is supported. See
8+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
9+
branch_protection_rule:
10+
# To guarantee Maintained check is occasionally updated. See
11+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
12+
schedule:
13+
- cron: '20 7 * * 2'
14+
push:
15+
branches: ["main"]
16+
17+
# Declare default permissions as read only.
18+
permissions: read-all
19+
20+
jobs:
21+
analysis:
22+
name: Scorecard analysis
23+
runs-on: ubuntu-latest
24+
permissions:
25+
# Needed to upload the results to code-scanning dashboard.
26+
security-events: write
27+
# Needed to publish results and get a badge (see publish_results below).
28+
id-token: write
29+
contents: read
30+
actions: read
31+
32+
steps:
33+
- name: Harden Runner
34+
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
35+
with:
36+
egress-policy: audit
37+
38+
- name: "Checkout code"
39+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
40+
with:
41+
persist-credentials: false
42+
43+
- name: "Run analysis"
44+
uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
45+
with:
46+
results_file: results.sarif
47+
results_format: sarif
48+
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
49+
# - you want to enable the Branch-Protection check on a *public* repository, or
50+
# - you are installing Scorecards on a *private* repository
51+
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
52+
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
53+
54+
# Public repositories:
55+
# - Publish results to OpenSSF REST API for easy access by consumers
56+
# - Allows the repository to include the Scorecard badge.
57+
# - See https://github.com/ossf/scorecard-action#publishing-results.
58+
# For private repositories:
59+
# - `publish_results` will always be set to `false`, regardless
60+
# of the value entered here.
61+
publish_results: true
62+
63+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
64+
# format to the repository Actions tab.
65+
- name: "Upload artifact"
66+
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
67+
with:
68+
name: SARIF file
69+
path: results.sarif
70+
retention-days: 5
71+
72+
# Upload the results to GitHub's code scanning dashboard.
73+
- name: "Upload to code-scanning"
74+
uses: github/codeql-action/upload-sarif@162eb1e32abe518e88bd229ebc8784a533ceaa51 # v2.25.6
75+
with:
76+
sarif_file: results.sarif

.github/workflows/test.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,21 @@ on:
66
- main
77
- 'renovate/*'
88
workflow_dispatch:
9+
permissions:
10+
contents: read
11+
912
jobs:
1013
lint:
1114
runs-on: ubuntu-latest
1215
if: github.event_name == 'push' || (github.event_name == 'pull_request' && !startsWith(github.head_ref, 'renovate/')) || github.event_name == 'workflow_dispatch'
1316
steps:
14-
- uses: actions/checkout@v4
15-
- uses: actions/setup-node@v4
17+
- name: Harden Runner
18+
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
19+
with:
20+
egress-policy: audit
21+
22+
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
23+
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
1624
with:
1725
node-version: 20
1826
cache: yarn

.pre-commit-config.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
repos:
2+
- repo: https://github.com/gitleaks/gitleaks
3+
rev: v8.16.3
4+
hooks:
5+
- id: gitleaks
6+
- repo: https://github.com/pre-commit/mirrors-eslint
7+
rev: v8.38.0
8+
hooks:
9+
- id: eslint
10+
- repo: https://github.com/pre-commit/pre-commit-hooks
11+
rev: v4.4.0
12+
hooks:
13+
- id: end-of-file-fixer
14+
- id: trailing-whitespace

0 commit comments

Comments
 (0)