Improve CI/CD & format fixes

.eslintignore

@@ -1,2 +1,2 @@
 /lib
-/test
+/test

.github/actions/prepare/action.yml

@@ -0,0 +1,30 @@
+---
+name: Pre-requisites
+description: |
+  Setup Pre-requisites
+
+runs:
+  using: composite
+  steps:
+    - name: Use node@16
+      uses: actions/setup-node@v3
+      with:
+        node-version: 16.20.0
+
+    - name: Get yarn cache directory path
+      id: yarn-cache-dir-path
+      shell: bash
+      run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+
+    - name: Node modules cache
+      uses: actions/cache@v3
+      id: yarn-cache
+      with:
+        path: |
+          ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          ~/.cache/node-gyp-cache
+        key: "${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}"
+        restore-keys: |
+          ${{ runner.os }}-yarn-${{ env.cache-name }}-
+      env:
+        cache-name: v4

.github/dependabot.yml

@@ -0,0 +1,26 @@
+---
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  # Maintain dependencies for npm
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    ignore:
+      - dependency-name: '*'
+        update-types: [version-update:semver-major]
+    commit-message:
+      # Prefix all commit messages
+      prefix: defender-client-deps
+    labels:
+      - dependabot
+      - dependencies
+      - vulnerabilites
+    # Allow up to 5 open pull requests
+    open-pull-requests-limit: 5

.github/release-drafter.yml

@@ -0,0 +1,11 @@
+---
+template: |
+  ## Next Release Version: v$NEXT_MINOR_VERSION
+
+  ## Changes
+  $CHANGES
+
+  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$NEXT_MINOR_VERSION
+
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: \<*_&

.github/workflows/ci.yml

@@ -1,77 +1,40 @@
-name: CI
+name: ci
 
-on: [push]
+on:
+  pull_request:
+    types: [assigned, opened, synchronize, reopened, labeled]
 
-jobs:
-  build:
-
-    runs-on: ubuntu-22.04
-
-    steps:
-    - uses: actions/[email protected]
-
-    - name: Use node@16
-      uses: actions/setup-node@v3
-      with:
-        node-version: 16.x
-
-    - name: Node modules cache
-      uses: actions/cache@v3
-      id: yarn-cache
-      with:
-        path: |
-          ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          ~/.cache/node-gyp-cache
-        key: "${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}"
-        restore-keys: |
-          ${{ runner.os }}-yarn-${{ env.cache-name }}-
-      env:
-        cache-name: v4
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
-    - name: Install dependencies
-      run: yarn --frozen-lockfile
+permissions:
+  checks: write
+  pull-requests: read
+  contents: write
+  actions: read
+  id-token: write
 
-    - name: Check build
-      run: yarn build
-
-    - name: Check linting
-      run: yarn lint:check
-
-  test:
-    name: Unit Tests
+jobs:
+  prepare:
+    name: Prepare pre-requisites
     runs-on: ubuntu-22.04
-    needs: build
-
     steps:
-    - uses: actions/[email protected]
-
-    - name: Use node@16
-      uses: actions/setup-node@v3
-      with:
-        node-version: 16.x
-
-    - name: Get yarn cache directory path
-      id: yarn-cache-dir-path
-      run: echo "::set-output name=dir::$(yarn cache dir)"
-
-    - name: Node modules cache
-      uses: actions/cache@v3
-      id: yarn-cache
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
       with:
-        path: |
-          ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          ~/.cache/node-gyp-cache
-        key: "${{ runner.os }}-yarn-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}"
-        restore-keys: |
-          ${{ runner.os }}-yarn-${{ env.cache-name }}-
-      env:
-        cache-name: v4
+        egress-policy: audit
 
-    - name: Install dependencies
-      run: yarn --frozen-lockfile
+    - name: Checkout
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
-    - name: Build
-      run: yarn build
+    - name: Prepare pre-requisites
+      uses: ./.github/actions/prepare
 
-    - name: Run tests
-      run: yarn test
+  # Deterministic Build & tests
+  provenance:
+    needs: prepare
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      run-scripts: "install-deps, nx-build-test-skip-cache"
+      node-version: "16.20.0"

.github/workflows/publish.yml

@@ -0,0 +1,85 @@
+name: publish
+description:
+
+on:
+  workflow_dispatch:
+    tags:
+      - 'v*'
+
+jobs:
+
+  provenance:
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+
+    # Deterministic Build & tests
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      run-scripts: "install-deps, nx-build-test-skip-cache"
+      node-version: "16.20.0"
+
+
+  publish:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      checks: write
+      id-token: write # For signing
+      actions: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repo
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Use node@16
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        with:
+          node-version: 16.20.0
+
+      - name: Create temp dir
+        id: temp-dir
+        run: |
+          set -euo pipefail
+
+          temp_dir=$(mktemp -d)
+          echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"
+
+      - name: Download tarball
+        uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main
+        with:
+          name: ${{ needs.provenance.outputs.package-download-name }}
+          path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}"
+          sha256: ${{ needs.provenance.outputs.package-download-sha256 }}
+
+      - name: Download provenance
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0
+        with:
+          name: ${{ needs.provenance.outputs.provenance-download-name }}
+          path: "${{ steps.temp-dir.outputs.path }}"
+          sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }}
+
+      - name: Authenticate NPM
+        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
+
+      - name: Unpack the zipped artifact
+        run: |
+          set -euo pipefail
+
+          cd "${{ steps.temp-dir.outputs.path }}"
+          tar -xzvf "${{ needs.provenance.outputs.package-name }}"
+          cd package/
+          if [[ ${GITHUB_REF#refs/tags/}" != *rc* ]]; then
+            yarn publish
+          else
+            yarn publish-rc
+          fi
+        env:
+          NPM_CONFIG_PROVENANCE: true