ci: align CI configuration

see: https://github.com/loopbackio/cicd/issues/91 see: https://github.com/loopbackio/cicd/issues/90 see: https://github.com/loopbackio/cicd/issues/89 see: https://github.com/loopbackio/cicd/issues/83 see: https://github.com/loopbackio/security/issues/27 see: https://github.com/loopbackio/security/issues/26 see: https://github.com/loopbackio/security/issues/23 see: https://github.com/loopbackio/security/issues/16 Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
2023-11-07 18:27:49 +08:00 · 2023-11-07 18:27:49 +08:00 · 1b9571fb07
parent 9f9baf31c1
commit 1b9571fb07
4 changed files with 1903 additions and 23 deletions
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@ -9,34 +9,49 @@ on:
  schedule:
    - cron: '0 2 * * 1' # At 02:00 on Monday

-env:
-  NODE_OPTIONS: --max-old-space-size=4096
+permissions: {}

 jobs:
  test:
    name: Test
-    timeout-minutes: 15
+    timeout-minutes: 5
    strategy:
      matrix:
        os: [ubuntu-latest]
-        node-version: [16, 18]
+        node-version:
+          - 16
+          - 18
+          - 20
+          - 21
        include:
          - os: macos-latest
-            node-version: 16 # LTS
+            node-version: 20 # LTS
+          - os: windows-latest
+            node-version: 20 # LTS
      fail-fast: false
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
-          fetch-depth: 0
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
        with:
          node-version: ${{ matrix.node-version }}
+          cache: npm
      - name: Bootstrap project
-        run: |
-          npm ci --ignore-scripts
-      - uses: Yuri6037/Action-FakeTTY@v1.1
+        run: npm ci --ignore-scripts --prefer-offline
+      - uses: Yuri6037/Action-FakeTTY@1abc69c7d530815855caedcd73842bae5687c1a6 # v1.1
      - name: Run tests
        run: faketty npm test --ignore-scripts

@ -44,31 +59,102 @@ jobs:
    name: Code Lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
        with:
-          node-version: 16
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: Use Node.js 20
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: 'npm'
      - name: Bootstrap project
        run: |
-          npm ci --ignore-scripts
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
      - name: Verify code linting
-        run: npm run lint
+        run: npm run lint --ignore-scripts

  commit-lint:
    name: Commit Lint
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request }}
    steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+          persist-credentials: false
+      - name: Use Node.js 20
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
        with:
-          node-version: 16
+          node-version: 20
+          cache: npm
      - name: Bootstrap project
        run: |
-          npm ci --ignore-scripts
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
      - name: Verify commit linting
-        run: npx commitlint --from origin/master --to HEAD --verbose
+        run: |
+          npm exec \
+            --no-install \
+            --package=@commitlint/cli \
+            -- \
+            commitlint \
+              --from=origin/master \
+              --to=HEAD \
+              --verbose
+
+  lockfile-lint:
+    name: Lockfile Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: Use Node.js 20
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: 20
+          cache: npm
+      - name: Bootstrap project
+        run: |
+          npm ci \
+            --ignore-scripts \
+            --prefer-offline
+      - name: Verify commit linting
+        run: |
+          npm exec \
+            --no-install \
+            --package=lockfile-lint \
+            -- \
+            lockfile-lint \
+              --path=package-lock.json \
+              --allowed-hosts=npm \
+              --validate-https \
+              --validate-integrity \
+              --validate-package-names
+
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -0,0 +1,70 @@
+# Based on `scorecard.yml` Github Actions starter workflow:
+# https://github.com/actions/starter-workflows/blob/b1df8a546ed4d0f27d46aaf2f8ac1118bc522638/code-scanning/scorecard.yml
+
+# This is separate from the CI workflow due to certain restrictions imposed by the GitHub Action action:
+# https://github.com/ossf/scorecard-action/tree/99cc02c8ee27bab5f5f41e79066e0de91d313dec#workflow-restrictions
+# For consistency, we should keep it a separate workflow across all our Github repositories, regardless if it's actually needed.
+
+name: OSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule: {}
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '30 6 * * 5'
+  push:
+    branches: [master]
+  # Added for testing the workflow, as PR triggers are currently not supported by the OSSF Scorecard Action.
+  workflow_dispatch: {}
+
+# Declare default permissions as read only.
+# permissions: read-all
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          disable-sudo: true
+          egress-policy: audit
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: OSSF Scorecard SARIF file
+          path: results.sarif
+          retention-days: 90
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        with:
+          sarif_file: results.sarif
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -26,12 +26,14 @@
    "strong-globalize": "^6.0.6"
  },
  "devDependencies": {
+    "@commitlint/cli": "^18.2.0",
    "@commitlint/config-conventional": "^18.1.0",
    "@types/express": "^4.17.21",
    "chai": "^4.3.10",
    "eslint": "^8.53.0",
    "eslint-config-loopback": "^13.1.0",
    "express": "^4.18.2",
+    "lockfile-lint": "^4.12.1",
    "mocha": "^10.2.0",
    "supertest": "^6.3.3"
  },