fix: fixed lint workflow

anolilab · Nov 2, 2023 · 1c1f7da · 1c1f7da
1 parent 52ffed5
commit 1c1f7da
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 12 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -26,6 +26,11 @@ jobs:
             markdown_lintable: "${{ steps.changes.outputs.markdown_lintable }}"
             yaml_lintable: "${{ steps.changes.outputs.yaml_lintable }}"
         steps:
+            - name: "Harden Runner"
+              uses: "step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423" # v2.6.0
+              with:
+                  egress-policy: "audit"
+
             - name: "Git checkout"
               uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11" # v4.1.1
               env:
@@ -89,24 +94,22 @@ jobs:
 
             - uses: "pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598" # v2.4.0
               with:
-                  version: 8
                   run_install: false
 
-            - name: "Use Node.js 18.x"
+            - name: "Use Node.js 20.x"
               uses: "actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65" # v4.0.0
               with:
-                  node-version: "18.x"
+                  node-version: "20.x"
                   cache: "pnpm"
 
+            - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
+              run: "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc --report-type=summary"
+
             - name: "Install packages"
               run: "pnpm install --frozen-lockfile"
               env:
-                  SKIP_BUILD: "true"
                   SKIP_CHECK: "true"
 
-            - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
-              run: "npm audit signatures"
-
             - name: "lint"
               run: "pnpm run lint:text"
               continue-on-error: true
@@ -126,6 +129,11 @@ jobs:
         steps:
             # If any jobs we depend on fail, we will fail since this is a required check
             # NOTE: A timeout is considered a failure
+            - name: "Harden Runner"
+              uses: "step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423" # v2.6.0
+              with:
+                  egress-policy: "audit"
+
             - name: "Check for failures"
               if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')"
               run: |

diff --git a/package.json b/package.json
@@ -55,7 +55,7 @@
     },
     "devDependencies": {
         "@anolilab/commitlint-config": "^5.0.1",
-        "@anolilab/lint-staged-config": "^2.1.3",
+        "@anolilab/lint-staged-config": "^2.1.4",
         "@anolilab/prettier-config": "^5.0.12",
         "@anolilab/semantic-release-preset": "^8.0.1",
         "@anolilab/textlint-config": "^8.0.14",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml