name: Package Audit on: push: branches: - '**' paths: - package.json - package-lock.json - .github/workflows/package-audit.yml workflow_dispatch: permissions: contents: read jobs: audit-npm: name: NPM Audit runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: disable-sudo: true allowed-endpoints: api.github.com:443 github.com:443 npm.pkg.github.com:443 pkg-npm.githubusercontent.com:443 registry.npmjs.org:443 - name: Audit with NPM uses: myrotvorets/composite-actions/node-package-audit@master provenance: name: Verify signatures and provenance statements runs-on: ubuntu-latest permissions: contents: read packages: read steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: disable-sudo: true allowed-endpoints: api.github.com:443 github.com:443 npm.pkg.github.com:443 pkg-npm.githubusercontent.com:443 registry.npmjs.org:443 tuf-repo-cdn.sigstore.dev:443 - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Node.js environment uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: lts/* registry-url: https://npm.pkg.github.com cache: npm - name: Install dependencies run: npm ci --ignore-scripts env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update npm run: npm i -g npm - name: Run audit run: npm audit signatures env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}