Alex
0d9fae4c3a
Build: Limit permissions for GitHub workflows
...
Add explicit permissions section[^1] to workflows. This is a security
best practice because by default workflows run with extended set
of permissions[^2] (except from `on: pull_request` from external forks[^3].
By specifying any permission explicitly all others are set to none. By using
the principle of least privilege the damage a compromised workflow can do
(because of an injection[^4] or compromised third party tool or action) is
restricted. It is recommended to have most strict permissions on the top
level[^5] and grant write permissions on job level[^6] on a case by case
basis.
[^1]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
[^2]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^3]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
[^4]: https://securitylab.github.com/research/github-actions-untrusted-input/
[^5]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
[^6]: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Closes gh-5119
(cherry picked from commit c909d6b1ff
)
2022-12-01 14:27:11 +01:00
Michał Gołębiowski-Owczarek
f4809f9b4a
Build: Test on Node.js 18 & 19, stop testing on Node 12
...
Closes gh-5161
2022-11-17 13:22:38 +01:00
dependabot[bot]
28241b7f92
Build: Bump actions/setup-node from 3.5.0 to 3.5.1
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/v3.5.0...v3.5.1 )
Closes gh-5153
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 0208224b5b
)
2022-11-01 20:59:39 +01:00
dependabot[bot]
9eb47cceba
Build: Bump actions/setup-node from 3.4.1 to 3.5.0
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 3.4.1 to 3.5.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/v3.4.1...v3.5.0 )
Closes gh-5133
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 25400750fb
)
2022-10-03 16:59:45 +02:00
dependabot[bot]
f14064cabf
Upgrade: Bump actions/setup-node from 3.3.0 to 3.4.1
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 3.3.0 to 3.4.1.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/v3.3.0...v3.4.1 )
Closes gh-5078
(cherry picked from commit 78321f078c
)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-12 15:47:46 +02:00
Michał Gołębiowski-Owczarek
0f6c3d9efc
Build: Update GitHub Actions
...
* Build(deps): Bump actions/cache from 2 to 3
Bumps [actions/cache](https://github.com/actions/cache ) from 2 to 3.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](https://github.com/actions/cache/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/cache
dependency-type: direct:production
update-type: version-update:semver-major
...
* Build(deps): Bump actions/setup-node from 2.1.2 to 3.3.0
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 2.1.2 to 3.3.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](https://github.com/actions/setup-node/compare/v2.1.2...v3.3.0 )
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-type: direct:production
update-type: version-update:semver-major
...
* Build(deps): Bump actions/checkout from 2 to 3
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Closes gh-5067
(cherry picked from commit 52f452b2e8
)
2022-06-27 18:59:57 +02:00
Michał Gołębiowski-Owczarek
9bc0df70be
Build: Test on Node 17, update Grunt & karma-*
packages
...
This adds testing on Node.js 17 in addition to the currently tested 10, 12, 14
and 16 versions.
Also, update Grunt & `karma-*` packages.
Testing in Karma on jsdom is broken in Node 17 at the moment; until we find
a fix, this change disables such testing on Node 17 or newer.
Node smoke tests & promises aplus tests are disabled on Node.js 10 as they
depend on jsdom and the latest jsdom version doesn't run properly on Node 10.
Closes gh-5023
(cherry picked from commit 2525cffc42
)
2022-03-14 18:31:49 +01:00
Michał Gołębiowski-Owczarek
cb35067f1b
Build: Separate the install step from running tests in GitHub Actions
...
Also, update the "Run test" label to "Run tests".
Closes gh-4992
(cherry picked from commit eef972508c
)
2022-01-04 16:34:40 +01:00
ygj6
b39cfa1505
Build: Migrate CI to GitHub Actions
...
Closes gh-4800
(cherry picked from commit e23190e63c
)
2021-12-01 00:03:59 +01:00