[StepSecurity] Apply security best practices #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Node.js Artifact | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| paths: | |
| - 'src/lib.cc' | |
| - '.github/workflows/build-node-artifacts.yml' | |
| - '**/npm/**/Dockerfile' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-20.04 | |
| platform: linuxmusl-x64 | |
| - os: ubuntu-20.04 | |
| platform: linux-x64 | |
| - os: macos-12 | |
| platform: darwin-x64 | |
| - os: windows-latest | |
| platform: win32-x64 | |
| - os: windows-latest | |
| platform: win32-ia32 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
| with: | |
| node-version: '18' | |
| - name: Create a folder for the tarball | |
| run: mkdir -p release/${{ matrix.PLATFORM }}/lib | |
| - name: Configure and Build projects (Linux) | |
| if: contains(matrix.os, 'ubuntu') | |
| run: | | |
| # Build image | |
| docker build -t ${{ matrix.PLATFORM }} . -f ./npm/${{ matrix.PLATFORM }}/Dockerfile | |
| # Run container | |
| docker run --name ${{ matrix.PLATFORM }} ${{ matrix.PLATFORM }} | |
| - name: Copy .node file from docker container (Linux) | |
| if: contains(matrix.os, 'ubuntu') | |
| env: | |
| source: ${{ matrix.PLATFORM }}:/heif-converter/src/build/Release | |
| destination: ./release/${{ matrix.PLATFORM }}/lib | |
| run: docker cp $source/converter.node $destination/converter.${{ matrix.PLATFORM }}.node | |
| - name: Configure and Build projects (Windows & OSX) | |
| if: "!contains(matrix.os, 'ubuntu')" | |
| run: | | |
| # Build project | |
| npm install --omit-optional | |
| npm run configure | |
| npm run build | |
| # Copy .node in the release folder | |
| cp ./src/build/Release/converter.node ./release/${{ matrix.PLATFORM }}/lib/converter.${{ matrix.PLATFORM }}.node | |
| - name: Copy .dll files for artifacts and tests (Windows) | |
| if: contains(matrix.os, 'windows') | |
| run: | | |
| # Copy for artifact | |
| cp platform/${{ matrix.PLATFORM }}/bin/heif.dll ./release/${{ matrix.PLATFORM }}/lib/heif.dll | |
| cp platform/${{ matrix.PLATFORM }}/bin/turbojpeg.dll ./release/${{ matrix.PLATFORM }}/lib/turbojpeg.dll | |
| cp platform/${{ matrix.PLATFORM }}/bin/libde265.dll ./release/${{ matrix.PLATFORM }}/lib/libde265.dll | |
| cp platform/${{ matrix.PLATFORM }}/bin/libx265.dll ./release/${{ matrix.PLATFORM }}/lib/libx265.dll | |
| cp platform/${{ matrix.PLATFORM }}/bin/libpng16.dll ./release/${{ matrix.PLATFORM }}/lib/libpng16.dll | |
| - name: Run tests | |
| if: "!contains(matrix.os, 'ubuntu')" | |
| run: npm run test | |
| - name: Create tarball of the release folder | |
| run: | | |
| cd ./release | |
| tar -czf ${{ matrix.platform }}.tar.gz * | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1 | |
| with: | |
| name: release | |
| path: ./release/${{ matrix.platform }}.tar.gz |