Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: Build & Test

on:
push:
branches: [main]
branches: [main, '*.x']
pull_request:
branches: [main]
branches: [main, '*.x']

# Default token to read-only; jobs widen only what they need.
permissions:
Expand All @@ -21,14 +21,16 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 20
cache: npm
- name: Check package.json file references
run: node scripts/check-referenced-files.mjs
- run: npm ci
- run: npm run lint
- run: npm run typecheck
Expand All @@ -48,7 +50,7 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup Node
Expand All @@ -58,5 +60,5 @@ jobs:
cache: npm
- run: npm ci
- run: npm run build
- run: npx playwright install --with-deps chromium
- run: npx playwright install --with-deps chromium firefox webkit
- run: npm run test:browser
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: CodeQL

on:
push:
branches: [main]
branches: [main, '*.x']
pull_request:
branches: [main]
branches: [main, '*.x']
schedule:
- cron: '0 19 * * 4'

Expand All @@ -29,13 +29,13 @@ jobs:
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
35 changes: 0 additions & 35 deletions .github/workflows/publish.yml

This file was deleted.

11 changes: 6 additions & 5 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ name: Scorecard supply-chain security
on:
# For the Branch-Protection check; only the default branch is supported.
branch_protection_rule:
# Keeps the Maintained check fresh and re-evaluates after CodeQL has settled.
# Keeps the Maintained check fresh and re-evaluates after CodeQL has settled. Weekly is enough:
# the score signals do not move day to day, and Friday lands just after the Thursday CodeQL run.
schedule:
- cron: '24 17 * * *'
- cron: '24 17 * * 5'
# Lets a maintainer trigger the first run (and re-runs) by hand from the Actions
# tab, instead of waiting for the daily cron - useful to publish the first report.
# tab, instead of waiting for the weekly cron - useful to publish the first report.
workflow_dispatch:
# NOTE: no 'push' trigger on purpose - running at merge time races the CodeQL
# scan of the just-merged commit and makes the SAST check read as unchecked.
Expand All @@ -38,7 +39,7 @@ jobs:
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run analysis
Expand All @@ -58,6 +59,6 @@ jobs:
path: results.sarif
retention-days: 5
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: results.sarif
11 changes: 10 additions & 1 deletion .github/workflows/sign-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,18 @@ jobs:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.event.release.tag_name }}
persist-credentials: false
# Build the tagged release's dist so we sign exactly what was released
# (and the same bytes slsa-provenance attests), not stale committed dist
# from whatever branch the workflow happened to check out.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
- run: npm ci --ignore-scripts
- run: npm run build
- uses: sigstore/gh-action-sigstore-python@5b79a39c381910c090341a2c9b0bf022c8b387e1 # v3.0.1
with:
inputs: dist/fortify.min.js dist/fortify.js
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/slsa-provenance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.event.release.tag_name }}
persist-credentials: false
Expand All @@ -27,7 +27,7 @@ jobs:
- run: npm ci --ignore-scripts
- run: npm run build
- id: attest
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-path: 'dist/fortify.js,dist/fortify.min.js,dist/fortify.cjs.js,dist/fortify.es.mjs'
- name: Upload provenance to release
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
node_modules/
dist/fortify.cov.*
coverage/
.nyc_output/
*.log
Expand Down
3 changes: 3 additions & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# .github/CODEOWNERS
# All changes require review from a core maintainer
* @x00mario
Loading