From 8438a226583aa93f8bf9fe36420d3e5f84b50250 Mon Sep 17 00:00:00 2001 From: Kenneth Rosario Date: Fri, 7 Apr 2023 10:43:34 -0700 Subject: [PATCH] chore: address remaining scorecard findings and update ubuntu version (#524) --- .../workflows/buildpack-integration-test.yml | 6 +- .github/workflows/conformance.yml | 140 +++++++++--------- .github/workflows/docs.yml | 34 ++--- .github/workflows/lint.yml | 2 +- 4 files changed, 95 insertions(+), 87 deletions(-) diff --git a/.github/workflows/buildpack-integration-test.yml b/.github/workflows/buildpack-integration-test.yml index f67f91a4..d97264d0 100644 --- a/.github/workflows/buildpack-integration-test.yml +++ b/.github/workflows/buildpack-integration-test.yml @@ -5,6 +5,10 @@ on: branches: - master workflow_dispatch: + +# Declare default permissions as read only. +permissions: read-all + jobs: nodejs10: uses: GoogleCloudPlatform/functions-framework-conformance/.github/workflows/buildpack-integration-test.yml@v1.8.0 @@ -41,4 +45,4 @@ jobs: cloudevent-builder-source: 'test/conformance' cloudevent-builder-target: 'writeCloudEventDeclarative' prerun: 'test/conformance/prerun.sh' - builder-runtime: 'nodejs16' \ No newline at end of file + builder-runtime: 'nodejs16' diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 06f0a7cf..4c784212 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -1,88 +1,92 @@ name: Node.js Conformance CI -on: +on: push: pull_request: + +# Declare default permissions as read only. +permissions: read-all + jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest strategy: matrix: node-version: [10, 12, 14, 16] steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Checkout code - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Checkout code + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 - with: - node-version: ${{ matrix.node-version }} + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + with: + node-version: ${{ matrix.node-version }} - - name: Build Functions Framework - run: npm ci + - name: Build Functions Framework + run: npm ci - - name: Build test project - working-directory: ./test/conformance - run: npm install + - name: Build test project + working-directory: ./test/conformance + run: npm install - - name: Install conformance client - uses: GoogleCloudPlatform/functions-framework-conformance/.github/actions/client/install@1975792fb34ebbfa058d690666186d669d3a5977 # v1.8.0 - with: - client-version: v1.7.0 - cache-path: ~/client - cache-key: conformance-client-v1.7.0 + - name: Install conformance client + uses: GoogleCloudPlatform/functions-framework-conformance/.github/actions/client/install@1975792fb34ebbfa058d690666186d669d3a5977 # v1.8.0 + with: + client-version: v1.7.0 + cache-path: ~/client + cache-key: conformance-client-v1.7.0 - - name: Run HTTP conformance tests using legacy API - working-directory: 'test/conformance' - run: | - ~/client \ - -type=http \ - -buildpacks=false \ - -cmd="npm start -- --target=writeHttp --signature-type=http" + - name: Run HTTP conformance tests using legacy API + working-directory: 'test/conformance' + run: | + ~/client \ + -type=http \ + -buildpacks=false \ + -cmd="npm start -- --target=writeHttp --signature-type=http" - - name: Run event conformance tests using legacy API - working-directory: 'test/conformance' - run: | - ~/client \ - -type=legacyevent \ - -buildpacks=false \ - -cmd="npm start -- --target=writeLegacyEvent --signature-type=event" + - name: Run event conformance tests using legacy API + working-directory: 'test/conformance' + run: | + ~/client \ + -type=legacyevent \ + -buildpacks=false \ + -cmd="npm start -- --target=writeLegacyEvent --signature-type=event" - - name: Run cloudevent conformance tests using legacy API - working-directory: 'test/conformance' - run: | - ~/client \ - -type=cloudevent \ - -buildpacks=false \ - -cmd="npm start -- --target=writeCloudEvent --signature-type=cloudevent" + - name: Run cloudevent conformance tests using legacy API + working-directory: 'test/conformance' + run: | + ~/client \ + -type=cloudevent \ + -buildpacks=false \ + -cmd="npm start -- --target=writeCloudEvent --signature-type=cloudevent" - - name: Run HTTP conformance tests using declarative API - working-directory: 'test/conformance' - run: | - ~/client \ - -type=http \ - -buildpacks=false \ - -validate-mapping=false \ - -cmd="npm start -- --target=writeHttpDeclarative" + - name: Run HTTP conformance tests using declarative API + working-directory: 'test/conformance' + run: | + ~/client \ + -type=http \ + -buildpacks=false \ + -validate-mapping=false \ + -cmd="npm start -- --target=writeHttpDeclarative" - - name: Run cloudevent conformance tests using declarative API - working-directory: 'test/conformance' - run: | - ~/client \ - -type=cloudevent \ - -buildpacks=false \ - -validate-mapping=true \ - -cmd="npm start -- --target=writeCloudEventDeclarative" + - name: Run cloudevent conformance tests using declarative API + working-directory: 'test/conformance' + run: | + ~/client \ + -type=cloudevent \ + -buildpacks=false \ + -validate-mapping=true \ + -cmd="npm start -- --target=writeCloudEventDeclarative" - - name: Run HTTP concurrency test - working-directory: 'test/conformance' - run: | - ~/client \ - -type=http \ - -buildpacks=false \ - -validate-concurrency=true \ - -cmd="npm start -- --target=concurrentHttp" + - name: Run HTTP concurrency test + working-directory: 'test/conformance' + run: | + ~/client \ + -type=http \ + -buildpacks=false \ + -validate-concurrency=true \ + -cmd="npm start -- --target=concurrentHttp" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index a46b79b7..d258be20 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -2,28 +2,28 @@ name: Node.js Docs CI on: push: branches: - - master + - master pull_request: permissions: contents: read jobs: docs: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup Node.js - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 - with: - node-version: '14' - - name: Install dependencies - run: npm ci - - name: Build docs - run: npm run docs - - name: Ensure there are no changes in docs - run: git diff --exit-code docs/ + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Setup Node.js + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + with: + node-version: '14' + - name: Install dependencies + run: npm ci + - name: Build docs + run: npm run docs + - name: Ensure there are no changes in docs + run: git diff --exit-code docs/ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 54a87054..e03c054a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,7 +9,7 @@ permissions: jobs: lint: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0