fix: fixed found audit fixes, updated ci pipeline

anolilab · Jun 11, 2024 · 491542b · 491542b
1 parent c6a767a
commit 491542b
Show file tree

Hide file tree

Showing 4 changed files with 159 additions and 99 deletions.
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
@@ -51,39 +51,17 @@ jobs:
                   GIT_AUTHOR_NAME: "GitHub Actions Shell"
                   EMAIL: "github-actions[bot]@users.noreply.github.com"
 
-            - uses: "pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d" # v3.0.0
+            - name: "Setup resources and environment"
+              id: "setup"
+              uses: "anolilab/workflows/step/setup@main"
               with:
-                  version: 8
-                  run_install: false
-
-            - name: "Use Node.js 20.x"
-              uses: "actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8" # v4.0.2
-              with:
-                  node-version: "20.x"
-                  cache: "pnpm"
-
-            # @see: npm install -g npm@latest is necessary to make provenance available. More info: https://docs.npmjs.com/generating-provenance-statements
-            - name: "Upgrade npm to latest version"
-              run: "npm install --global npm@9.6.x"
-              env:
-                  SKIP_CHECK: "true"
-
-            - name: "Check npm version"
-              run: "npm -v"
-              env:
-                  SKIP_CHECK: "true"
-
-            - name: "Install packages"
-              run: "pnpm install --frozen-lockfile"
-              env:
-                  SKIP_BUILD: "true"
+                  node-version: "20"
+                  install-bun: false
+                  enable-nx-cache: false
 
             - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
               run: "npm audit signatures"
 
-            - name: "npm v8.5+ requires workspaces-update to be set to false"
-              run: "echo 'workspaces-update=false' >> .npmrc"
-
             - name: "Semantic Release"
               if: "success()"
               env:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -36,22 +36,13 @@ jobs:
                   GIT_AUTHOR_NAME: "GitHub Actions Shell"
                   EMAIL: "github-actions[bot]@users.noreply.github.com"
 
-            - uses: "pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d" # v3.0.0
-              with:
-                  version: 8
-                  run_install: false
-
-            - name: "Set node version to 20"
-              uses: "actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8" # v4.0.2
+            - name: "Setup resources and environment"
+              id: "setup"
+              uses: "anolilab/workflows/step/setup@main"
               with:
                   node-version: "20"
-                  cache: "pnpm"
-
-            - name: "Install packages"
-              run: "pnpm install --frozen-lockfile"
-              env:
-                  SKIP_CHECK: "true"
-                  SKIP_BUILD: "true"
+                  install-bun: false
+                  enable-nx-cache: false
 
             - name: "Test"
               run: "pnpm run test"
diff --git a/package.json b/package.json
@@ -40,15 +40,15 @@
         "LICENSE.md"
     ],
     "scripts": {
-        "audit": "pnpm dlx audit-ci@^6 --config ./audit-ci.jsonc",
+        "audit": "audit-ci --config ./audit-ci.jsonc",
         "preinstall": "node verify-node-version.cjs && npx only-allow pnpm",
         "lint:prettier": "prettier --config=.prettierrc.cjs --check '*.{json,yml,yaml,js,ts}'",
         "lint:prettier:fix": "prettier --config=.prettierrc.cjs --write '*.{json,yml,yaml,js,ts}'",
         "lint:secrets": "secretlint **/*",
         "lint:staged": "lint-staged --verbose --concurrent false --debug",
         "lint:text": "textlint ./.github/ ./README.md ./UPGRADE.md --parallel --experimental --cache --dry-run",
         "lint:text:fix": "textlint ./.github/ ./README.md ./UPGRADE.md --parallel --experimental --fix",
-        "prepare": "is-ci || husky install || exit 0",
+        "prepare": "is-ci || husky || exit 0",
         "sort-package-json": "sort-package-json ./package.json",
         "test": "renovate-config-validator default.json",
         "update:deps": "taze"
@@ -62,6 +62,7 @@
         "@commitlint/cli": "^19.3.0",
         "@commitlint/config-conventional": "^19.2.2",
         "@secretlint/secretlint-rule-preset-recommend": "^8.2.4",
+        "audit-ci": "^7.0.1",
         "husky": "^9.0.11",
         "is-ci": "^3.0.1",
         "lint-staged": "^15.2.6",
@@ -80,5 +81,12 @@
     "publishConfig": {
         "access": "restricted",
         "provenance": true
+    },
+    "pnpm": {
+        "overrides": {
+            "chrono-node@<2.2.4": ">=2.2.4",
+            "tar@<6.2.1": ">=6.2.1",
+            "braces@<3.0.3": ">=3.0.3"
+        }
     }
 }