[StepSecurity] Apply security best practices #179
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Forge CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| FOUNDRY_PROFILE: ci | |
| jobs: | |
| forge-test: | |
| name: Run Forge Tests and Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| submodules: recursive | |
| - name: Install Foundry | |
| uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 | |
| with: | |
| version: nightly | |
| - name: Run Forge build | |
| run: | | |
| forge --version | |
| forge build --sizes | |
| id: build | |
| - name: Run Forge tests | |
| run: | | |
| forge test -vvv | |
| id: test | |
| - name: Check formatting | |
| run: | | |
| forge fmt --check | |
| id: fmt | |
| - name: Check snapshot | |
| run: | | |
| forge snapshot --check --tolerance 1 | |
| id: snapshot | |
| forge-coverage: | |
| name: Run Coverage Reporting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| submodules: recursive | |
| - name: Install Foundry | |
| uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 | |
| with: | |
| version: nightly | |
| - name: Install forge dependencies | |
| run: forge install | |
| - name: Install lcov | |
| run: | | |
| sudo apt-get install lcov | |
| id: lcov | |
| - name: Run coverage | |
| run: | | |
| forge coverage --report summary --report lcov | |
| - name: Prune coverage | |
| run: | | |
| lcov --remove ./lcov.info -o ./lcov-filtered.info 'test/*' 'script/*' 'src/utils/*' | |
| - name: Submit coverage to Coveralls | |
| uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| path-to-lcov: ./lcov-filtered.info | |
| flag-name: foundry | |
| parallel: true | |
| finish: | |
| needs: forge-coverage | |
| if: ${{ always() }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Coveralls Finished | |
| uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 | |
| with: | |
| parallel-finished: true |