Implement setup-node action with safe-chain

Author: cnoble-may

.github/CODEOWNERS

@@ -1,2 +1 @@
-# CHANGE_ME - set correct code owner
-*   @linz/step-enablement
+*   @linz/step-security

.github/dependabot.yml

@@ -1,16 +1,16 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: weekly
-    commit-message:
-      prefix: "fix(deps)"
-    cooldown:
-      default-days: 15
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "fix(deps)"
+    cooldown:
+      default-days: 15

.github/workflows/ci.yml

@@ -1,25 +1,36 @@
-name: CI
-on:
-  pull_request:
-    branches: [master]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      # CHANGE_ME - implement automation test for the actual action
-      - name: invoke action
-        uses: ./
-        with:
-          input1: foo
-          input2: bar
-
-      - name: Verify the result
-        run: |
-          source assert.sh
-          assert_eq "foo" "$DUMMY_INPUT1"
-          assert_eq "bar" "$DUMMY_INPUT2"
+name: CI
+on:
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: ./
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+    - run: npm ci
+    - run: npm run build --if-present
+    - name: Test Safe Chains
+      run: |
+        set +e
+        npm install safe-chain-test
+        exitCode=$?
+        if [[ $exitCode -eq 1 ]]; then
+          echo "Failed to download malware test!"
+        else
+          exit 1
+        fi
+        exit 0
+      continue-on-error: true

.github/workflows/dependabot-automation.yml

@@ -1,30 +1,30 @@
-name: Dependabot automation
-
-on: pull_request
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Approve PR
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.STEP_GITHUB_ACTION_TOKEN }}
-      - name: Enable auto-merge for Dependabot PRs that doesn't include major version update
-        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.STEP_GITHUB_ACTION_TOKEN }}
-
+name: Dependabot automation
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Approve PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.STEP_GITHUB_ACTION_TOKEN }}
+      - name: Enable auto-merge for Dependabot PRs that doesn't include major version update
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.STEP_GITHUB_ACTION_TOKEN }}
+

.github/workflows/lint-pr.yml

@@ -1,11 +1,11 @@
-name: "Lint PR"
-
-on:
-  pull_request:
-    types: ["opened", "edited", "reopened", "synchronize"]
-
-jobs:
-  pr-lint:
-    runs-on: ubuntu-latest
-    steps:
+name: "Lint PR"
+
+on:
+  pull_request:
+    types: ["opened", "edited", "reopened", "synchronize"]
+
+jobs:
+  pr-lint:
+    runs-on: ubuntu-latest
+    steps:
       - uses: linz/action-pull-request-lint@7adb4bc59b59dc6e097de831c29a17c2c1338826 # v1.2.0

.github/workflows/release.yml

@@ -1,19 +1,19 @@
-name: release-please
-
-on:
-  push:
-    branches:
-      - master
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
-        with:
-          release-type: simple
+name: release-please
+
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        with:
+          release-type: simple
           token: ${{ secrets.STEP_GITHUB_ACTION_TOKEN  }}