harden-runner/.github/workflows/test.yml

name: Test
on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main # to update code coverage

permissions: # added using https://github.com/step-security/secure-workflows
  contents: read
concurrency:
  group: ${{ github.workflow }}
jobs:
  test:
    permissions:
      checks: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
        with:
          disable-sudo: true
          egress-policy: audit
          allowed-endpoints: >
            api.github.com:443
            codecov.io:443
            github.com:443
            registry.npmjs.org:443
            storage.googleapis.com:443
            uploader.codecov.io:443

      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Install Dependencies
        run: npm ci
      - name: Run coverage
        run: npm test -- --coverage
      - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
      - name: Publish Test Results
        uses: step-security/publish-unit-test-result-action@b495e9a82021fc8f34737416de688298581b847d # v2.19.0
        if: always()
        with:
          files: |
            reports/*.xml