Skip to content

Commit

Permalink
ci: ci improvements (#58)
Browse files Browse the repository at this point in the history
* ci: rename node.js to ci gh action and imrpove it

* ci: improve egress-policy of gh actions

* chore: log contentful env variables

* chore: remove logs
inigomarquinez authored Mar 19, 2024
1 parent 7455a13 commit 02babae
Showing 6 changed files with 48 additions and 35 deletions.
1 change: 1 addition & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ updates:
directory: '/'
schedule:
interval: 'weekly'

- package-ecosystem: 'github-actions' # See documentation for possible values
directory: '/' # Location of package manifests
schedule:
25 changes: 18 additions & 7 deletions .github/workflows/node.js.yml → .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
name: Node.js CI

on:
workflow_dispatch:
push:
branches: ['main']
pull_request:
branches: ['main']
workflow_dispatch:

env:
CONTENTFUL_ACCESS_TOKEN: ${{ secrets.CONTENTFUL_ACCESS_TOKEN }}
@@ -27,11 +30,19 @@ jobs:
cdn.contentful.com:443
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@v4@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
- name: 🔔 Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

- name: ⚙️ Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm test
- run: npm run test:e2e

- name: ⚙️ Install dependencies
run: npm ci

- name: 🧪 Run tests
run: |
npm test
npm run test:e2e
20 changes: 7 additions & 13 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -51,19 +51,13 @@ jobs:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
# disable-sudo: true
# egress-policy: block
# allowed-endpoints: >
# api.github.com:443
# api.osv.dev:443
# api.securityscorecards.dev:443
# fulcio.sigstore.dev:443
# github.com:443
# oss-fuzz-build-logs.storage.googleapis.com:443
# rekor.sigstore.dev:443
# tuf-repo-cdn.sigstore.dev:443
# www.bestpractices.dev:443
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
uploads.github.com:443
- name: ⚙️ Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
19 changes: 6 additions & 13 deletions .github/workflows/deploy-documentation.yml
Original file line number Diff line number Diff line change
@@ -18,19 +18,12 @@ jobs:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
# disable-sudo: true
# egress-policy: block
# allowed-endpoints: >
# api.github.com:443
# api.osv.dev:443
# api.securityscorecards.dev:443
# fulcio.sigstore.dev:443
# github.com:443
# oss-fuzz-build-logs.storage.googleapis.com:443
# rekor.sigstore.dev:443
# tuf-repo-cdn.sigstore.dev:443
# www.bestpractices.dev:443
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443
tuf-repo-cdn.sigstore.dev:443
- name: ⚙️ Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
13 changes: 12 additions & 1 deletion .github/workflows/release-and-publish.yml
Original file line number Diff line number Diff line change
@@ -18,6 +18,11 @@ jobs:
release_created: ${{ steps.release.outputs.release_created }}

steps:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: 🆕 Create or update release
uses: google-github-actions/release-please-action@a37ac6e4f6449ce8b3f7607e4d97d0146028dc0b # 4.1.0
id: release
@@ -37,7 +42,13 @@ jobs:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fulcio.sigstore.dev:443
github.com:443
registry.npmjs.org:443
rekor.sigstore.dev:443
- name: 🔔 Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # 4.1.2
5 changes: 4 additions & 1 deletion .github/workflows/semantic-pull-request.yml
Original file line number Diff line number Diff line change
@@ -18,7 +18,10 @@ jobs:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: 🔎 Validate Pull Request format
uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0

0 comments on commit 02babae

Please sign in to comment.