ci(signatures): audited provenance and signatures of installed packages

semantic-release · Apr 28, 2023 · eab0512 · eab0512
1 parent 2e3d691
commit eab0512
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,7 +23,8 @@ jobs:
         with:
           cache: npm
           node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -30,7 +30,7 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
-      - run: npm ci
+      - run: npm clean-install
       - run: npm run test:ci
 
   # separate job to set as required in branch protection,
@@ -45,6 +45,7 @@ jobs:
           node-version: "lts/*"
           cache: npm
       - run: npm clean-install
+      - run: npm audit signatures
       - name: Ensure dependencies are compatible with the version of node
         run: npx ls-engines
       - run: npm run lint