Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci(release): update workflow #1087

Merged
merged 1 commit into from Feb 6, 2024
Merged

ci(release): update workflow #1087

merged 1 commit into from Feb 6, 2024

Conversation

Fdawgs
Copy link
Contributor

@Fdawgs Fdawgs commented Feb 6, 2024
edited

This PR:

  • Removes Git credentials/SSH keys after checkout as a security precaution by setting persist-credentials to false. They are not used after the initial checkout, and this stops them from accidentally leaking through a script
  • Declares the minimum permissions for the workflows to run at the job level, following principle of least privilege; see related GitHub security post
  • Removes the cache-dependency-path param from the actions/setup-node action, as if cache is declared then it will use the default path anyway
  • Updates npm publish script to publish with provenance to provide assurance that published package was generated from this repo

@spencermountain
Copy link
Owner

wow cool! Thank you so much.
I didn't know about any of that stuff. Nice one!

@spencermountain spencermountain merged commit 5fd1b58 into spencermountain:dev Feb 6, 2024
6 checks passed
@Fdawgs Fdawgs deleted the patch-1 branch February 6, 2024 17:33
@Fdawgs Fdawgs mentioned this pull request Feb 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Fdawgs @spencermountain