From e2a47fa855198c9159bcc335cc7f09ed65202f20 Mon Sep 17 00:00:00 2001 From: Grace Park Date: Tue, 22 Oct 2024 22:23:18 +0000 Subject: [PATCH 1/3] upgrade node to 22 and add provenance --- .github/workflows/node.js.yml | 6 +++--- .github/workflows/publish.yml | 11 +++++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 112b94e..0164208 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -16,13 +16,13 @@ jobs: strategy: matrix: - node-version: [14.x, 15.x] + node-version: [20.x, 22.x] # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} - run: npm ci diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c1b229d..7b520a3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,14 +4,17 @@ on: release: types: [created] +permissions: + id-token: write + jobs: publish-npm: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 with: - node-version: 14 + node-version: 22 registry-url: https://registry.npmjs.org/ cache: npm - run: npm ci @@ -19,6 +22,6 @@ jobs: - run: npm version ${TAG_NAME} --git-tag-version=false env: TAG_NAME: ${{ github.event.release.tag_name }} - - run: npm whoami; npm --ignore-scripts publish + - run: npm whoami; npm --ignore-scripts publish --provenance env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} From b90194783bf31fb4eaf611b11b6c38b85d7851a9 Mon Sep 17 00:00:00 2001 From: Grace Park Date: Wed, 23 Oct 2024 08:33:55 -0700 Subject: [PATCH 2/3] Add read permissions to GitHub workflows --- .github/workflows/node.js.yml | 3 +++ .github/workflows/publish.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 0164208..1eb2c9b 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7b520a3..4ec5765 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,7 @@ on: types: [created] permissions: + contents: read id-token: write jobs: From 47f7f8753ac24a22dea9c08101efb1df6dfd4c01 Mon Sep 17 00:00:00 2001 From: Grace Park Date: Wed, 23 Oct 2024 16:14:17 +0000 Subject: [PATCH 3/3] update read permissions --- .github/workflows/node.js.yml | 3 +++ .github/workflows/publish.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 0164208..1eb2c9b 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -9,6 +9,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7b520a3..4ec5765 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,7 @@ on: types: [created] permissions: + contents: read id-token: write jobs: