ci(dependencies): audited signatures and provenance attestations of installed packages

2023-04-21 16:39:54 -05:00 · 2023-04-21 16:39:54 -05:00 · ef998acd4d
commit ef998acd4d
parent 278d8e6bec
2 changed files with 3 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -23,7 +23,8 @@ jobs:
        with:
          cache: npm
          node-version: lts/*
-      - run: npm ci
+      - run: npm clean-install
+      - run: npm audit signatures
      - run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -36,6 +36,7 @@ jobs:
          node-version: ${{ matrix.node-version }}
          cache: npm
      - run: npm clean-install
+      - run: npm audit signatures
      - name: Ensure dependencies are compatible with the version of node
        run: npx ls-engines
      - run: npm run test:ci