Bump step-security/harden-runner from 2.8.0 to 2.9.0 #2981
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check | |
on: | |
pull_request: ~ | |
push: | |
branches: | |
- main | |
permissions: read-all | |
jobs: | |
codeql: | |
name: CodeQL | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write # To upload CodeQL results | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
ghcr.io:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pkg-containers.githubusercontent.com:443 | |
uploads.github.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 | |
with: | |
config-file: ./.github/codeql.yml | |
languages: javascript | |
- name: Perform CodeQL analysis | |
uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 | |
format: | |
name: Formatting | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Check formatting | |
run: npm run format:check | |
licenses: | |
name: Licenses | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Check licenses | |
run: npm run license-check | |
lint: | |
name: Lint | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install tooling | |
uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Lint CI | |
if: ${{ failure() || success() }} | |
run: npm run lint:ci | |
- name: Lint JavaScript | |
if: ${{ failure() || success() }} | |
run: npm run lint:js | |
- name: Lint JSON | |
if: ${{ failure() || success() }} | |
run: npm run lint:json | |
- name: Lint MarkDown | |
if: ${{ failure() || success() }} | |
run: npm run lint:md | |
- name: Lint shell scripts | |
if: ${{ failure() || success() }} | |
run: npm run lint:sh | |
- name: Lint YAML | |
if: ${{ failure() || success() }} | |
run: npm run lint:yml | |
reproducible: | |
name: Reproducible build | |
runs-on: ubuntu-22.04 | |
needs: | |
- transpile | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Simulate publish | |
run: | | |
npm run transpile | |
npm pack | |
- name: Compute checksum | |
run: shasum -- *.tgz | tee checksums.txt | |
- name: Reset to a clean state | |
run: | | |
npm run clean | |
rm -- *.tgz | |
- name: Simulate publish again | |
run: | | |
npm run transpile | |
npm pack | |
- name: Verify checksum | |
run: shasum --check checksums.txt --strict | |
test-breakage: | |
name: Breakage | |
runs-on: ubuntu-22.04 | |
needs: | |
- test-integration | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run breakage tests | |
run: npm run coverage:breakage | |
test-compatibility: | |
name: Compatibility | |
runs-on: ubuntu-22.04 | |
needs: | |
- test-integration | |
strategy: | |
fail-fast: false | |
matrix: | |
node-version: | |
- 14.18.0 | |
- 16.13.0 | |
- 18.0.0 | |
- 19.0.0 | |
- 20.0.0 | |
- 22.0.0 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version: ${{ matrix.node-version }} | |
- name: Install compatible npm version | |
run: npm install --global [email protected] | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run compatibility tests | |
run: npm run coverage:compat | |
test-e2e: | |
name: End-to-end (${{ matrix.name }}) | |
runs-on: ${{ matrix.os }} | |
needs: | |
- test-integration | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: MacOS | |
os: macos-14 | |
- name: Ubuntu | |
os: ubuntu-22.04 | |
- name: Windows | |
os: windows-2022 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install csh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install csh | |
- name: Install Zsh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install zsh | |
- name: Run end-to-end tests | |
run: npm run coverage:e2e | |
test-integration: | |
name: Integration (${{ matrix.name }}) | |
runs-on: ${{ matrix.os }} | |
needs: | |
- test-unit | |
- transpile | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: MacOS | |
os: macos-14 | |
- name: Ubuntu | |
os: ubuntu-22.04 | |
- name: Windows | |
os: windows-2022 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install Zsh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install zsh | |
- name: Install csh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install csh | |
- name: Run integration tests | |
run: npm run coverage:integration | |
test-mutation-unit: | |
name: Mutation (Unit) | |
runs-on: ubuntu-22.04 | |
needs: | |
- test-unit | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Cache Stryker incremental report | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .cache/stryker-incremental-unit.json | |
key: mutation-unit-${{ github.run_number }} | |
restore-keys: | | |
mutation-unit- | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run mutation tests | |
run: npm run mutation:unit | |
- name: Upload mutation report | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
if: ${{ failure() || success() }} | |
with: | |
name: mutation-unit-report | |
path: | | |
_reports/mutation/unit.html | |
.cache/stryker-incremental-unit.json | |
test-mutation-integration: | |
name: Mutation (integration) | |
runs-on: ubuntu-22.04 | |
needs: | |
- test-integration | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Cache Stryker incremental report | |
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 | |
with: | |
path: .cache/stryker-incremental-integration.json | |
key: mutation-integration-${{ github.run_number }} | |
restore-keys: | | |
mutation-integration- | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install Zsh | |
run: sudo apt-get --assume-yes install zsh | |
- name: Install csh | |
run: sudo apt-get --assume-yes install csh | |
- name: Run mutation tests | |
run: npm run mutation:integration | |
- name: Upload mutation report | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
if: ${{ failure() || success() }} | |
with: | |
name: mutation-integration-report | |
path: | | |
_reports/mutation/integration.html | |
.cache/stryker-incremental-integration.json | |
test-unit: | |
name: Unit | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run unit tests | |
run: npm run coverage:unit | |
transpile: | |
name: Transpile | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Transpile to CommonJS | |
run: npm run transpile | |
vet: | |
name: Vet | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Install Node.js | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Vet dependencies | |
if: ${{ failure() || success() }} | |
run: npm run vet:deps | |
- name: Check runtime dependency versions | |
if: ${{ failure() || success() }} | |
run: node script/check-runtime-deps.js |