Improve the security of the action by fixing Zizmor errors (#26) #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI checks | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read # Needs to read repo to run CI checks | |
| jobs: | |
| test: | |
| name: Unit test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Configure credentials | |
| uses: tracebit-com/tracebit-community-action@d0a68cb29196eafce908de76ec596a7e9ca049da | |
| with: | |
| customer-id: ${{ vars.SECURITY_CUSTOMER_ID }} | |
| api-token: ${{ secrets.SECURITY_API_TOKEN }} | |
| profile: administrator | |
| profile-region: us-east-1 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| persist-credentials: false | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 | |
| with: | |
| bun-version: "1.3.8" | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Run tests | |
| run: bun run test | |
| bundle-check: | |
| name: Bundle check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Configure credentials | |
| uses: tracebit-com/tracebit-community-action@d0a68cb29196eafce908de76ec596a7e9ca049da | |
| with: | |
| customer-id: ${{ vars.SECURITY_CUSTOMER_ID }} | |
| api-token: ${{ secrets.SECURITY_API_TOKEN }} | |
| profile: administrator | |
| profile-region: us-east-1 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| persist-credentials: false | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 | |
| with: | |
| bun-version: "latest" | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Rebuild bundle | |
| run: bun run build | |
| - name: Verify bundle is up to date | |
| run: | | |
| if ! git diff --exit-code -- dist/index.js; then | |
| echo "Bundle is out of date. Run 'bun run build' and commit result." | |
| BUN_VERSION=$(bun --version) | |
| echo "You might need to 'bun upgrade' your local bun version to $BUN_VERSION before running 'bun run build'." | |
| exit 1 | |
| fi |