generated from myrotvorets/ts-action-template
-
Notifications
You must be signed in to change notification settings - Fork 1
60 lines (50 loc) · 1.42 KB
/
package-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Package Audit
on:
push:
branches:
- '**'
paths:
- package.json
- package-lock.json
- .github/workflows/package-audit.yml
workflow_dispatch:
permissions:
contents: read
jobs:
audit-npm:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js environment
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: lts/*
- name: Run audit
run: npm audit --omit=dev
provenance:
name: Verify signatures and provenance statements
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node.js environment
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: lts/*
registry-url: https://npm.pkg.github.com
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update npm
run: npm i -g npm
- name: Run audit
run: npm audit signatures
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}