keii.dev / nodejs.org
The Node.js® Website
fork atom

[StepSecurity] Apply security best practices (#6142)

Co-authored-by: Claudio Wunder <cwunder@hubspot.com>

authored by

StepSecurity Bot
Claudio Wunder and committed by
GitHub dec347f8 dcde9f0a

+136
unified split
+5
.github/workflows/build.yml
··· 45 os: [ubuntu-latest, windows-latest] 46 47 steps: 48 - name: Provide Turborepo Arguments 49 # This step is responsible for providing a reusable string that can be used within other steps and jobs 50 # that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command
··· 45 os: [ubuntu-latest, windows-latest] 46 47 steps: 48 + - name: Harden Runner 49 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 50 + with: 51 + egress-policy: audit 52 + 53 - name: Provide Turborepo Arguments 54 # This step is responsible for providing a reusable string that can be used within other steps and jobs 55 # that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command
+78
.github/workflows/codeql.yml
···
··· 1 + # For most projects, this workflow file will not need changing; you simply need 2 + # to commit it to your repository. 3 + # 4 + # You may wish to alter this file to override the set of languages analyzed, 5 + # or to provide custom queries or build logic. 6 + # 7 + # ******** NOTE ******** 8 + # We have attempted to detect the languages in your repository. Please check 9 + # the `language` matrix defined below to confirm you have the correct set of 10 + # supported CodeQL languages. 11 + # 12 + name: 'CodeQL' 13 + 14 + on: 15 + push: 16 + branches: ['main'] 17 + pull_request: 18 + # The branches below must be a subset of the branches above 19 + branches: ['main'] 20 + schedule: 21 + - cron: '0 0 * * 1' 22 + 23 + permissions: 24 + contents: read 25 + 26 + jobs: 27 + analyze: 28 + name: Analyze 29 + runs-on: ubuntu-latest 30 + permissions: 31 + actions: read 32 + contents: read 33 + security-events: write 34 + 35 + strategy: 36 + fail-fast: false 37 + matrix: 38 + language: ['javascript', 'typescript'] 39 + # CodeQL supports [ $supported-codeql-languages ] 40 + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support 41 + 42 + steps: 43 + - name: Harden Runner 44 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 45 + with: 46 + egress-policy: audit 47 + 48 + - name: Checkout repository 49 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 50 + 51 + # Initializes the CodeQL tools for scanning. 52 + - name: Initialize CodeQL 53 + uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 54 + with: 55 + languages: ${{ matrix.language }} 56 + # If you wish to specify custom queries, you can do so here or in a config file. 57 + # By default, queries listed here will override any specified in a config file. 58 + # Prefix the list here with "+" to use these queries and those in the config file. 59 + 60 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 61 + # If this step fails, then you should remove it and run the build manually (see below) 62 + - name: Autobuild 63 + uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 64 + 65 + # ℹ️ Command-line programs to run using the OS shell. 66 + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun 67 + 68 + # If the Autobuild fails above, remove it and uncomment the following three lines. 69 + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. 70 + 71 + # - run: | 72 + # echo "Run, Build Application using script" 73 + # ./location_of_script_within_repo/buildscript.sh 74 + 75 + - name: Perform CodeQL Analysis 76 + uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 77 + with: 78 + category: '/language:${{matrix.language}}'
+5
.github/workflows/lighthouse.yml
··· 37 runs-on: ubuntu-latest 38 39 steps: 40 - name: Git Checkout 41 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 42 with:
··· 37 runs-on: ubuntu-latest 38 39 steps: 40 + - name: Harden Runner 41 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 42 + with: 43 + egress-policy: audit 44 + 45 - name: Git Checkout 46 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 47 with:
+15
.github/workflows/lint-and-tests.yml
··· 36 turbo_args: ${{ steps.turborepo_arguments.outputs.turbo_args }} 37 38 steps: 39 - name: Provide Turborepo Arguments 40 # This step is responsible for providing a reusable string that can be used within other steps and jobs 41 # that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command ··· 60 needs: [base] 61 62 steps: 63 - name: Git Checkout 64 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 65 with: ··· 170 url: ${{ steps.chromatic-deploy.outputs.storybookUrl }} 171 172 steps: 173 - name: Git Checkout 174 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 175 with:
··· 36 turbo_args: ${{ steps.turborepo_arguments.outputs.turbo_args }} 37 38 steps: 39 + - name: Harden Runner 40 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 41 + with: 42 + egress-policy: audit 43 + 44 - name: Provide Turborepo Arguments 45 # This step is responsible for providing a reusable string that can be used within other steps and jobs 46 # that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command ··· 65 needs: [base] 66 67 steps: 68 + - name: Harden Runner 69 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 70 + with: 71 + egress-policy: audit 72 + 73 - name: Git Checkout 74 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 75 with: ··· 180 url: ${{ steps.chromatic-deploy.outputs.storybookUrl }} 181 182 steps: 183 + - name: Harden Runner 184 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 185 + with: 186 + egress-policy: audit 187 + 188 - name: Git Checkout 189 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 190 with:
+5
.github/workflows/pull-request-label.yml
··· 30 name: Remove Pull Request Label 31 runs-on: ubuntu-latest 32 steps: 33 - name: Remove GitHub Actions Label 34 uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 35 with:
··· 30 name: Remove Pull Request Label 31 runs-on: ubuntu-latest 32 steps: 33 + - name: Harden Runner 34 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 35 + with: 36 + egress-policy: audit 37 + 38 - name: Remove GitHub Actions Label 39 uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 40 with:
+10
.github/workflows/translations-pr.yml
··· 33 runs-on: ubuntu-latest 34 35 steps: 36 - uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308 # v2.4.3 37 with: 38 message: | ··· 55 runs-on: ubuntu-latest 56 57 steps: 58 - name: Git Checkout 59 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 60 with:
··· 33 runs-on: ubuntu-latest 34 35 steps: 36 + - name: Harden Runner 37 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 38 + with: 39 + egress-policy: audit 40 + 41 - uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308 # v2.4.3 42 with: 43 message: | ··· 60 runs-on: ubuntu-latest 61 62 steps: 63 + - name: Harden Runner 64 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 65 + with: 66 + egress-policy: audit 67 + 68 - name: Git Checkout 69 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 70 with:
+18
.pre-commit-config.yaml
···
··· 1 + repos: 2 + - repo: https://github.com/gitleaks/gitleaks 3 + rev: v8.16.3 4 + hooks: 5 + - id: gitleaks 6 + - repo: https://github.com/jumanjihouse/pre-commit-hooks 7 + rev: 3.0.0 8 + hooks: 9 + - id: shellcheck 10 + - repo: https://github.com/pre-commit/mirrors-eslint 11 + rev: v8.38.0 12 + hooks: 13 + - id: eslint 14 + - repo: https://github.com/pre-commit/pre-commit-hooks 15 + rev: v4.4.0 16 + hooks: 17 + - id: end-of-file-fixer 18 + - id: trailing-whitespace