feat(lists): compact my lists hub cards #1418
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: The Sanctum Wards aka Supply Chain | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| jobs: | |
| hardened-audit: | |
| if: github.event.pull_request.draft != true | |
| name: Warding the Inner Sanctum | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Sealing the Outbound Gates aka Harden Runner | |
| uses: step-security/harden-runner@v2 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| codeload.github.com:443 | |
| deno.com:443 | |
| dl.deno.land:443 | |
| github.com:443 | |
| jsr.io:443 | |
| npm.jsr.io:443 | |
| registry.npmjs.org:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Secure the Evidence aka Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Deno Environment | |
| uses: ./.github/actions/setup-deno | |
| - name: Enforce Exact Version Pins aka Forbid Semver Ranges | |
| run: | | |
| set -euo pipefail | |
| OFFENDERS=$( | |
| jq -r ' | |
| (.dependencies // {}) + (.devDependencies // {}) | |
| | to_entries[] | |
| | select(.value | test("^[\\^~]")) | |
| | "\(.key)@\(.value)" | |
| ' projects/client/package.json | |
| ) | |
| if [ -n "$OFFENDERS" ]; then | |
| echo "::error::Non-exact version ranges detected. Pin exact versions." | |
| echo "$OFFENDERS" | |
| exit 1 | |
| fi | |
| - name: Ward Against Allowlist Drift aka Block Silent Postinstall Grants | |
| if: github.event_name == 'pull_request' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| set -euo pipefail | |
| git fetch origin "${{ github.event.pull_request.base.ref }}" --depth=1 | |
| BEFORE=$(git show "origin/${{ github.event.pull_request.base.ref }}":deno.json | jq '.allowScripts | length') | |
| AFTER=$(jq '.allowScripts | length' deno.json) | |
| if [ "$AFTER" -gt "$BEFORE" ]; then | |
| if gh pr view "$PR_NUMBER" --json labels -q '.labels[].name' | grep -qx 'allowlist-change'; then | |
| echo "allowScripts grew from $BEFORE to $AFTER — label present, allowed." | |
| else | |
| echo "::error::allowScripts grew from $BEFORE to $AFTER without 'allowlist-change' label." | |
| echo "Add the 'allowlist-change' label after manual review of every new entry." | |
| exit 1 | |
| fi | |
| fi | |
| - name: Frozen Install aka Verify Lockfile Integrity | |
| run: deno task install | |
| - name: Verify NPM Provenance aka Audit Signatures | |
| working-directory: projects/client | |
| continue-on-error: true | |
| run: | | |
| set -euo pipefail | |
| if [ -d node_modules ]; then | |
| npm audit signatures || { | |
| echo "::warning::npm audit signatures reported issues. Review before merging." | |
| exit 0 | |
| } | |
| else | |
| echo "::warning::node_modules not present after deno install — skipping signature audit." | |
| fi | |
| dependency-review: | |
| if: github.event_name == 'pull_request' && github.event.pull_request.draft != true | |
| name: The Lockfile Inquisition aka Dependency Review | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Sealing the Outbound Gates aka Harden Runner | |
| uses: step-security/harden-runner@v2 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.deps.dev:443 | |
| api.github.com:443 | |
| codeload.github.com:443 | |
| deno.com:443 | |
| dl.deno.land:443 | |
| github.com:443 | |
| jsr.io:443 | |
| npm.jsr.io:443 | |
| registry.npmjs.org:443 | |
| release-assets.githubusercontent.com:443 | |
| www-api.ibm.com:443 | |
| - name: Secure the Evidence aka Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Scrutinizing the Lockfile Delta aka Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: on-failure |