diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 34d5cd74..21fb3a66 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,7 +15,7 @@ updates: commit-message: prefix: meta cooldown: - default-days: 3 + default-days: 7 open-pull-requests-limit: 10 - package-ecosystem: npm @@ -30,7 +30,7 @@ updates: commit-message: prefix: meta cooldown: - default-days: 3 + default-days: 7 groups: orama: patterns: diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 54f50238..c8b779ab 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -18,7 +18,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - uses: nodejs/web-team/actions/auto-merge-prs@b087df186d25f8792fb85cc7794f68718726b8ee with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0f4ea90..86573b63 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,10 +21,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -49,10 +54,21 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + cli.codecov.io:443 + github.com:443 + ingest.codecov.io:443 + keybase.io:443 + o26192.ingest.us.sentry.io:443 + raw.githubusercontent.com:443 + registry.npmjs.org:443 + storage.googleapis.com:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -87,10 +103,25 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + *.archive.ubuntu.com:80 + *.microsoft.com:443 + api.github.com:443 + cdn.playwright.dev:443 + dl.google.com:443 + esm.ubuntu.com:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 + github.com:443 + raw.githubusercontent.com:443 + registry.npmjs.org:443 + storage.googleapis.com:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 @@ -104,6 +135,7 @@ jobs: - name: Checkout Node.js source uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false repository: nodejs/node sparse-checkout: doc/api/assert.md path: node diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e150ae9..6644d041 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,10 +42,17 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + *.github.com:443 + objects.githubusercontent.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index c1c8ed5d..689ee240 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -11,9 +11,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2 with: ignore_words_list: crate,raison diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 2984f1f7..35015de7 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,7 +9,7 @@ name: Review Dependencies on: - pull_request_target: + pull_request: branches: - main @@ -23,10 +23,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Review Dependencies uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/leave-comment.yml b/.github/workflows/leave-comment.yml index 79a2d1bb..b6c1da5a 100644 --- a/.github/workflows/leave-comment.yml +++ b/.github/workflows/leave-comment.yml @@ -18,7 +18,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Download all comparison artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fda5b5e9..89037fa9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,8 +12,6 @@ on: permissions: contents: read - # For npm OIDC (https://docs.npmjs.com/trusted-publishers) - id-token: write env: COMMIT_SHA: ${{ github.sha }} @@ -28,7 +26,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 - name: Verify commit authenticity env: @@ -58,6 +59,7 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false fetch-depth: 2 # Need at least 2 commits to detect changes between commits - name: Check if we should publish @@ -75,6 +77,9 @@ jobs: needs: prepare runs-on: ubuntu-latest if: needs.prepare.outputs.should_publish == 'true' + permissions: + # For npm OIDC (https://docs.npmjs.com/trusted-publishers) + id-token: write steps: - uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 592ad8e6..f5734517 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,7 +34,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + api.scorecard.dev:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + fulcio.sigstore.dev:443 - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/update-type-map.yml b/.github/workflows/update-type-map.yml index b2c298aa..abbe2b4b 100644 --- a/.github/workflows/update-type-map.yml +++ b/.github/workflows/update-type-map.yml @@ -17,10 +17,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + objects.githubusercontent.com:443 - name: Git Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - run: node scripts/update-type-map.mjs diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..7c2c0f14 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: main + pull_request: + branches: main + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3