diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index c17dec1..386d13a 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -4,15 +4,26 @@ on: pull_request: branches: [master] +permissions: + contents: read + jobs: commit_lint: name: "Lint commit messages" runs-on: ubuntu-latest + permissions: + id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: block + policy: global-allowed-endpoints-policy + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 - run: yarn install --frozen-lockfile diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index c947caa..9262146 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -13,8 +13,14 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: block + policy: global-allowed-endpoints-policy + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 - run: yarn install --frozen-lockfile @@ -23,9 +29,17 @@ jobs: publish-npm: needs: build runs-on: ubuntu-latest + permissions: + id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: block + policy: global-allowed-endpoints-policy + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 registry-url: https://registry.npmjs.com/ @@ -33,13 +47,13 @@ jobs: - run: yarn run build - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: us-east-1 role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role - name: Read secrets from AWS Secrets Manager into environment variables - uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5 + uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5 with: secret-ids: | /prod/circle-nodejs-sdk/npm/automation-token diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml index f886c33..905fb6e 100644 --- a/.github/workflows/pull_request_checks.yml +++ b/.github/workflows/pull_request_checks.yml @@ -8,9 +8,17 @@ jobs: lint: name: "Lint, Build and Test" runs-on: ubuntu-latest + permissions: + id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: block + policy: global-allowed-endpoints-policy + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - name: Installing dependencies run: yarn install --frozen-lockfile - name: Prettier check