Skip to content

Add github action #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thibautbaillet merged 1 commit into from
Feb 6, 2026
Merged

Add github action #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions

name: Release
Copy link

@wiz-swan wiz-swan bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info IaC Finding

Workflow should have permissions limitations
on resource name

More Details
This rule checks that GitHub workflow has an empty permissions block to enforce least privilege. This rule fails when the workflow doesn't have a permissions block or has a non-empty permissions block with `write-all` scope, which can grant excessive permissions to workflow actions. Excessive permissions in GitHub workflows increase the risk surface in case of a compromise, potentially allowing attackers to access sensitive resources or perform unauthorized actions. To prevent this risk, always implement least privilege by explicitly defining an empty permissions block for all workflows.

Expected

GitHub workflow should have empty permissions block

Found

GitHub workflow doesn't have a permissions block defined

Security Frameworks: wf-id-175, wf-id-1


Rule ID: f140b9ff-063f-4312-ad25-dca7d00fb913


on:
push:
tags:
- "v*"

jobs:
build:
runs-on: ubuntu-latest

permissions:
id-token: write # Required for OIDC (used for npm publish with Trusted publishing)
Copy link

@wiz-swan wiz-swan bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info IaC Finding

Workflow should not have write permissions to sensitive scopes
on resource jobs.build.permissions.id-token

More Details
This rule checks that GitHub workflow does not use unnecessarily elevated token permissions. This rule fails when a workflow grants write permissions to sensitive scopes like `contents`, `pull-requests`, `packages`, or other privileged operations. Excessive token permissions increase the potential impact of a workflow compromise, allowing attackers to modify repository contents, merge pull requests, or perform other damaging actions. To prevent this risk, always apply the principle of least privilege by restricting token permissions to only what's absolutely necessary for each workflow.

Expected

Job 'build' should not have write permission for 'id-token'

Found

Job 'build' has write permission for sensitive scope 'id-token'

Security Frameworks: wf-id-1, wf-id-175


Rule ID: 88a7f807-7b08-451e-a9b2-7cd83e3a21a3

packages: write
Copy link

@wiz-swan wiz-swan bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info IaC Finding

Workflow should not have write permissions to sensitive scopes
on resource jobs.build.permissions.packages

More Details
This rule checks that GitHub workflow does not use unnecessarily elevated token permissions. This rule fails when a workflow grants write permissions to sensitive scopes like `contents`, `pull-requests`, `packages`, or other privileged operations. Excessive token permissions increase the potential impact of a workflow compromise, allowing attackers to modify repository contents, merge pull requests, or perform other damaging actions. To prevent this risk, always apply the principle of least privilege by restricting token permissions to only what's absolutely necessary for each workflow.

Expected

Job 'build' should not have write permission for 'packages'

Found

Job 'build' has write permission for sensitive scope 'packages'

Security Frameworks: wf-id-1, wf-id-175


Rule ID: 88a7f807-7b08-451e-a9b2-7cd83e3a21a3

contents: write
Copy link

@wiz-swan wiz-swan bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info IaC Finding

Workflow should not have write permissions to sensitive scopes
on resource jobs.build.permissions.contents

More Details
This rule checks that GitHub workflow does not use unnecessarily elevated token permissions. This rule fails when a workflow grants write permissions to sensitive scopes like `contents`, `pull-requests`, `packages`, or other privileged operations. Excessive token permissions increase the potential impact of a workflow compromise, allowing attackers to modify repository contents, merge pull requests, or perform other damaging actions. To prevent this risk, always apply the principle of least privilege by restricting token permissions to only what's absolutely necessary for each workflow.

Expected

Job 'build' should not have write permission for 'contents'

Found

Job 'build' has write permission for sensitive scope 'contents'

Security Frameworks: wf-id-1, wf-id-175


Rule ID: 88a7f807-7b08-451e-a9b2-7cd83e3a21a3


steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: lts/*
cache: yarn

- run: yarn install --pure-lockfile
- run: yarn prepack

- name: Publish
env:
NPM_CONFIG_PROVENANCE: true
run: |
npm publish --no-git-checks --access public --registry https://registry.npmjs.org