@@ -9,7 +9,8 @@ const pullRequestTrustJob = jobBlock("pull-request-trust", "readme-hygiene");
99const readmeHygieneJob = jobBlock ( "readme-hygiene" , "rule-hygiene" ) ;
1010const ruleHygieneJob = jobBlock ( "rule-hygiene" , "issue-template-policy" ) ;
1111const issueTemplatePolicyJob = jobBlock ( "issue-template-policy" , "repo-security" ) ;
12- const repoSecurityJob = jobBlock ( "repo-security" , "awesome-lint" ) ;
12+ const repoSecurityJob = jobBlock ( "repo-security" , "test" ) ;
13+ const testJob = jobBlock ( "test" , "awesome-lint" ) ;
1314const awesomeLintJob = workflow . slice ( workflow . indexOf ( " awesome-lint:" ) ) ;
1415
1516function jobBlock ( jobName , nextJobName ) {
@@ -104,6 +105,16 @@ test("workflow has an explicit awesome-lint job for every pull request", () => {
104105 assert . match ( workflow , / ^ p u l l _ r e q u e s t : \n \s + b r a n c h e s : \s + \[ m a i n \] $ / m) ;
105106} ) ;
106107
108+ test ( "workflow has an explicit test job for pull requests and pushes" , ( ) => {
109+ assert . match ( testJob , / ^ t e s t : \n \s + r u n s - o n : \s + u b u n t u - l a t e s t $ / m) ;
110+ assert . match ( testJob , / i f : \s + g i t h u b \. e v e n t _ n a m e = = ' p u l l _ r e q u e s t ' \| \| g i t h u b \. e v e n t _ n a m e = = ' p u s h ' / ) ;
111+ assert . doesNotMatch ( testJob , / p u l l _ r e q u e s t _ t a r g e t / ) ;
112+ assert . match ( testJob , / p e r s i s t - c r e d e n t i a l s : \s + f a l s e / ) ;
113+ assert . match ( testJob , / c o r e p a c k p r e p a r e p n p m @ 1 0 \. 2 0 \. 0 - - a c t i v a t e / ) ;
114+ assert . match ( testJob , / p n p m i n s t a l l - - f r o z e n - l o c k f i l e / ) ;
115+ assert . match ( testJob , / p n p m t e s t / ) ;
116+ } ) ;
117+
107118test ( "trusted PR gates do not execute contributor-controlled code" , ( ) => {
108119 for ( const job of [ readmeHygieneJob , ruleHygieneJob , issueTemplatePolicyJob , repoSecurityJob ] ) {
109120 assert . match ( job , / p a t h : \s + p r / ) ;
@@ -119,7 +130,7 @@ test("the old bundled repo-hygiene check is not a required PR concern", () => {
119130
120131test ( "pull requests run trusted awesome-list checks" , ( ) => {
121132 assert . match ( workflow , / n o d e \. t r u s t e d - b a s e \/ s c r i p t s \/ c h e c k - a w e s o m e - l i s t \. m j s - - r o o t " \$ G I T H U B _ W O R K S P A C E " / ) ;
122- assert . match ( workflow , / p n p m d l x a w e s o m e - l i n t " \$ G I T H U B _ W O R K S P A C E \/ R E A D M E \. m d " / ) ;
133+ assert . match ( workflow , / p n p m d l x a w e s o m e - l i n t @ 2 \. 3 \. 0 " \$ G I T H U B _ W O R K S P A C E \/ R E A D M E \. m d " / ) ;
123134} ) ;
124135
125136test ( "pushes run local awesome-list checks" , ( ) => {
@@ -128,6 +139,17 @@ test("pushes run local awesome-list checks", () => {
128139 assert . match ( workflow , / p n p m r u n c h e c k : a w e s o m e - l i s t : u p s t r e a m / ) ;
129140} ) ;
130141
142+ test ( "awesome-lint job uses pinned package code without persistent checkout credentials" , ( ) => {
143+ const checkoutSteps = awesomeLintJob . match ( / u s e s : \s + a c t i o n s \/ c h e c k o u t @ [ a - f 0 - 9 ] { 40 } \s + # \s + v 4 [ \s \S ] * ?(? = \n \s + - u s e s : | \n \s + - n a m e : | $ ) / g) ?? [ ] ;
144+ assert . equal ( checkoutSteps . length , 2 ) ;
145+
146+ for ( const step of checkoutSteps ) {
147+ assert . match ( step , / p e r s i s t - c r e d e n t i a l s : \s + f a l s e / ) ;
148+ }
149+
150+ assert . match ( awesomeLintJob , / p n p m d l x a w e s o m e - l i n t @ 2 \. 3 \. 0 " \$ G I T H U B _ W O R K S P A C E \/ R E A D M E \. m d " / ) ;
151+ } ) ;
152+
131153test ( "external GitHub Actions are pinned to full commit SHAs" , ( ) => {
132154 const usesLines = workflow . match ( / ^ \s * u s e s : \s + .+ $ / gm) ?? [ ] ;
133155 assert . ok ( usesLines . length > 0 ) ;
0 commit comments