mirror of
https://github.com/tenrok/axios.git
synced 2026-06-17 19:21:29 +03:00
Jay
9c2d8fc7e1
* sec: update to using staged publishing * feat: bump all ci versions to either include 26 or run on 26 * test(http): use localhost for HTTPS proxy fixtures
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
name: Lockfile lint
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
- '.github/workflows/lockfile-lint.yml'
|
|
push:
|
|
branches: [v1.x]
|
|
paths:
|
|
- 'package.json'
|
|
- 'package-lock.json'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lockfile-lint:
|
|
name: Validate package-lock.json
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 26.x
|
|
registry-url: 'https://registry.npmjs.org'
|
|
package-manager-cache: false
|
|
|
|
- name: Run lockfile-lint
|
|
# Validates that every resolved URL uses HTTPS on registry.npmjs.org
|
|
# and that every entry carries an integrity hash. Catches swap to a
|
|
# mirror, a git/file: URL, or integrity stripping on a dep-update PR.
|
|
# Pinned by name only (no lockfile-lint in devDependencies) so that a
|
|
# compromised dev tree cannot suppress this check.
|
|
run: >
|
|
npx --yes lockfile-lint@4.14.0
|
|
--type npm
|
|
--path package-lock.json
|
|
--validate-https
|
|
--allowed-hosts npm
|
|
--validate-integrity
|
|
--validate-package-names
|
|
--empty-hostname false
|