ci: Updated workflows to account for GHA best practices (#67)

Signed-off-by: Roger Barker <[email protected]>
hashgraph · Jun 6, 2024 · dd649ff · dd649ff
1 parent f0617e3
commit dd649ff
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 5 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,27 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below
+*                                              @hashgraph/developer-advocates
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/developer-advocates
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
@@ -23,11 +23,16 @@ jobs:
       matrix:
         node-version: [18, 20]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3 # pin@v3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
       - name: Setup Node ${{ matrix.node-version }}
-        uses: actions/setup-node@v4 # pin@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
 
@@ -38,7 +43,7 @@ jobs:
         run: npm run test
 
       - name: Publish Test Report
-        uses: actionite/publish-unit-test-result-action@1e01e49081c6c4073913aa4b7980fa83e709f322 # pin@v2
+        uses: actionite/publish-unit-test-result-action@1e01e49081c6c4073913aa4b7980fa83e709f322 # v2.3.0
         if: ${{ !cancelled() }}
         with:
           check_name: Jest Node ${{ matrix.node-version }} Test Results

diff --git a/.github/workflows/flow-release-artifact.yaml b/.github/workflows/flow-release-artifact.yaml
@@ -12,8 +12,13 @@ jobs:
     name: Release
     runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3 # pin@v3
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
       - name: Install JQ and SED
         run: |
@@ -38,7 +43,7 @@ jobs:
           [[ "$PACKAGE_VERSION" == "$RELEASE_VERSION" ]] && echo "Versions match $RELEASE_VERSION" || (echo "Package version is: $PACKAGE_VERSION and Release tag is: $RELEASE_VERSION"; exit 1)
 
       - name: Setup Node 20
-        uses: actions/setup-node@v4 # pin@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org

diff --git a/.gitignore b/.gitignore
@@ -18,6 +18,9 @@ pids
 *.seed
 *.pid.lock
 
+# intellij
+**/.idea/
+
 # Directory for instrumented libs generated by jscoverage/JSCover
 lib-cov