mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
dependabot[bot]
5f229d2d1f
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
name: Lockfile lint
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- '.github/workflows/lockfile-lint.yml'
|
|
push:
|
|
branches: [v1.x]
|
|
paths:
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lockfile-lint:
|
|
name: Validate package-lock.json
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 26.x
|
|
registry-url: 'https://registry.npmjs.org'
|
|
package-manager-cache: false
|
|
|
|
- name: Run lockfile-lint
|
|
# Validates that every resolved URL uses HTTPS on registry.npmjs.org
|
|
# and that every entry carries an integrity hash. Catches swap to a
|
|
# mirror, a git/file: URL, or integrity stripping on a dep-update PR.
|
|
# Pinned by name only (no lockfile-lint in devDependencies) so that a
|
|
# compromised dev tree cannot suppress this check.
|
|
run: >
|
|
npx --yes lockfile-lint@4.14.0
|
|
--type npm
|
|
--path package-lock.json
|
|
--validate-https
|
|
--allowed-hosts npm
|
|
--validate-integrity
|
|
--validate-package-names
|
|
--empty-hostname false
|