Merge branch 'main' into hotfix-return-types-in-funcs

defenseunicorns · Nov 4, 2024 · 17fce81 · 17fce81
2 parents 1b7a990 + cedad18
commit 17fce81
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 13 deletions.
diff --git a/.github/workflows/container-scan.yaml b/.github/workflows/container-scan.yaml
@@ -16,6 +16,10 @@ jobs:
   container-scans:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Use Node.js latest
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -33,8 +37,8 @@ jobs:
           fail-build: true
           severity-cutoff: high
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
         with:
           image: pepr:dev
           upload-artifact: true
-          upload-artifact-retention: 30
+          upload-artifact-retention: 30
diff --git a/.github/workflows/pepr-excellent-examples.yml b/.github/workflows/pepr-excellent-examples.yml
@@ -187,7 +187,7 @@ jobs:
           npm ci
 
       - name: run e2e tests
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
         with:
           max_attempts: 3
           retry_on: error

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,6 +66,10 @@ jobs:
     needs: [slsa]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
       - name: Set up Node registry authentication
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -1,15 +1,22 @@
 name: secret-scan
 on: pull_request
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   secret-scan: # scan for any live secrets in the repository using trufflehog
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+      with:
+        egress-policy: audit
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
     - name: Default Secret Scanning
-      uses: trufflesecurity/trufflehog@main
+      uses: trufflesecurity/trufflehog@e6d786a7d99f05f14327ba8e2ab75aa863b4df3b # main
       with:
-        extra_args: --debug --no-verification # Warn on potential violations
+        extra_args: --debug --no-verification # Warn on potential violations
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/sdk/cosign.e2e.test.ts → src/sdk/cosign.e2e.tezt.ts b/src/sdk/cosign.e2e.test.ts → src/sdk/cosign.e2e.tezt.ts
@@ -58,11 +58,8 @@ const timed = async (msg: string, func: () => Promise<any>) => {
 };
 
 async function builderExists(name: string) {
-  const resultRaw = await cmdStdout(`docker buildx ls --format json`);
-  const result = resultRaw.split("\n").map(m => JSON.parse(m));
-  const found = result.filter(f => f.Name === name).length;
-
-  return !!found;
+  const resultRaw = await cmdStdout(`docker buildx ls`);
+  return resultRaw.includes(name);
 }
 
 enum OS {