fix(no-release): blocked network from ci and release workflows (#44)

codeismyid · web-flow · commit e3a7cdd58eb3 · 2026-04-24T17:16:12.000+07:00
Add allowed-endpoints: 
- release-assets.githubusercontent.com:443
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -3,10 +3,10 @@ name: CI
 on:
   push:
     branches:
-      - "*"
+      - "**"
   pull_request:
     branches:
-      - "*"
+      - "**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -30,25 +30,20 @@ jobs:
             github.com:443
             objects.githubusercontent.com:443
             registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout
         if: github.event_name == 'push'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
-          sparse-checkout: |
-            .
-            src
           persist-credentials: false
 
       - name: Git checkout (full-history)
         if: github.event_name == 'pull_request'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          sparse-checkout: |
-            .
-            src
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           persist-credentials: false
@@ -86,28 +81,17 @@ jobs:
       - name: Git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          fetch-depth: ${{ github.event_name == 'pull_request' && 1 || 2 }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 1
           persist-credentials: false
 
-      - name: Run check (push)
-        if: github.event_name == 'push'
-        uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0
-        with:
-          allow-licenses: MIT, ISC, CC0-1.0, Apache-2.0, BSD-3-Clause, Unlicense
-          head-ref: ${{ github.sha }}
-          base-ref: ${{ github.event.before }}
-          fail-on-severity: low
-          comment-summary-in-pr: never
-          warn-on-openssf-scorecard-level: 3
-
-      - name: Run check (pull_request)
-        if: github.event_name == 'pull_request'
+      - name: Run dependency review
         uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0
         with:
           allow-licenses: MIT, ISC, CC0-1.0, Apache-2.0, BSD-3-Clause, Unlicense
-          fail-on-severity: low
-          comment-summary-in-pr: on-failure
+          head-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+          base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.repository.default_branch }}
+          fail-on-severity: moderate
+          comment-summary-in-pr: ${{ github.event_name == 'pull_request' && 'on-failure' || 'never' }}
           warn-on-openssf-scorecard-level: 3
 
   format:
@@ -125,6 +109,7 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
             registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -158,6 +143,7 @@ jobs:
             objects.githubusercontent.com:443
             registry.npmjs.org:443
             storage.googleapis.com:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -179,11 +165,13 @@ jobs:
         uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         with:
           fail_ci_if_error: true
+          verbose: true
 
       - name: Upload test result
         uses: codecov/test-results-action@f2dba722c67b86c6caa034178c6e4d35335f6706 # v1.1.0
         with:
           fail_ci_if_error: true
+          verbose: true
 
   type:
     name: Type check
@@ -201,6 +189,7 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
             registry.npmjs.org:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -42,6 +42,7 @@ jobs:
             github.com:443
             objects.githubusercontent.com
             uploads.github.com:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -38,6 +38,7 @@ jobs:
             rekor.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443
             uploads.github.com:443
+            release-assets.githubusercontent.com:443
 
       - name: Git checkout (full-history)
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/__tests__/src/blueprints/Formatter.spec.ts b/__tests__/src/blueprints/Formatter.spec.ts
@@ -389,7 +389,7 @@ describe('blueprints > Formatter', () => {
 
       expect(formatted).toIncludeRepeated(
         formatterOptions.formatOptions.separatorBetweenInputAndResult,
-        2
+        3
       );
     });
 
