From bef70bc9f658c02b9681278a11f43f9997610875 Mon Sep 17 00:00:00 2001 From: nmccready Date: Wed, 13 May 2026 17:31:01 -0400 Subject: [PATCH] security: pin actions to SHAs + add harden-runner egress allowlist --- .github/workflows/publish.yml | 21 ++++++++++++++++++--- commitlint.config.cjs | 1 + 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3de1eb6..1d58617 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,17 +12,32 @@ jobs: needs: [tests] runs-on: ubuntu-latest permissions: + contents: read id-token: write # Required for OIDC steps: - - uses: actions/checkout@v4 + - name: Harden runner + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + uploads.github.com:443 + registry.npmjs.org:443 + nodejs.org:443 + fulcio.sigstore.dev:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20.x' registry-url: 'https://registry.npmjs.org' - name: Publish to npm run: | # npm 11.15.1 for OIDC support npm install -g npm@11 - npm ci + npm ci --ignore-scripts npm install npm publish --access public diff --git a/commitlint.config.cjs b/commitlint.config.cjs index 02c84a8..4c0cbd9 100644 --- a/commitlint.config.cjs +++ b/commitlint.config.cjs @@ -1,6 +1,7 @@ module.exports = { extends: ['@commitlint/config-conventional'], rules: { + 'type-enum': [2, 'always', ['feat','fix','docs','style','refactor','perf','test','build','ci','chore','revert','security']], 'body-max-line-length': [2, 'always', 200], 'subject-case': [0, 'never', ['sentence-case', 'start-case', 'pascal-case', 'upper-case']], },