Skip to content

[GHA] Update OSSF URL in Harden Runner #8009

[GHA] Update OSSF URL in Harden Runner

[GHA] Update OSSF URL in Harden Runner #8009

Workflow file for this run

name: frontend
on:
push:
branches: [master]
pull_request:
branches: [master]
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
lint_build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.actions.githubusercontent.com:443
api.github.com:443
github.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm run fmt-frontend-check
- run: npm run lint
- run: npm run build
test_coverage:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.actions.githubusercontent.com:443
api.github.com:443
github.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm run test-frontend:coverage
env:
CI: true
- name: Upload coverage artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
if-no-files-found: error
name: coverage
path: coverage/cobertura-coverage.xml
retention-days: 7
upload_coverage:
needs: test_coverage
runs-on: ubuntu-latest
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.codecov.io:443
cli.codecov.io:443
codecov.io:443
github.com:443
storage.googleapis.com:443
uploader.codecov.io:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Download coverage artifact
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: coverage
- name: Upload coverage report
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
files: cobertura-coverage.xml
flags: frontend
name: Frontend
docker_build:
runs-on: ubuntu-latest
if: ${{ github.event.type }} == "PullRequest"
steps:
# See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
# configuring harden-runner and identifying allowed endpoints.
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.actions.githubusercontent.com:443
auth.docker.io:443
files.pythonhosted.org:443
github.com:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
registry.npmjs.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Build frontend
run: |
deploy/scripts/build.py --components frontend
shell: bash
- name: Image digest
run: |
docker image inspect combine_frontend:latest -f '{{json .Id}}'
shell: bash