mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
8f67f8f564
The npm publish job is the highest-value target in this repo's CI: it has `id-token: write` for OIDC trusted publishing against the npm registry and runs against a checkout of `main`. A compromised dep introduced anywhere in the package graph could exfiltrate the OIDC token in the window it is valid, or quietly tamper with the build output before publish. Adds `step-security/harden-runner` in `audit` mode as the first step of the publish job. Audit mode does not block egress; it captures every outbound connection and surfaces anomalies in the Step Security Insights dashboard. This is intentionally the conservative initial posture — we get observability without risking a broken publish from an incomplete allow-list. A follow-up should promote `egress-policy` to `block` with an explicit `allowed-endpoints` list once we have one or two real publish runs to baseline against. Pinned to v2.19.3 (ab7a9404c0f3da075243ca237b5fac12c98deaa5). Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>