Bump alpine from 3.10 to 3.19

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release new action version
+on:
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: "Tag name that the major tag will point to"
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+defaults:
+  run:
+    shell: pwsh
+
+permissions:
+  contents: read
+
+jobs:
+  update_tag:
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Update the ${{ env.TAG_NAME }} tag
+        uses: step-security/publish-action@00f33a2a7d8b77187d08ce666d0d5d73ad1dfb93
+        with:
+          source-tag: ${{ env.TAG_NAME }}

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

Dockerfile

@@ -0,0 +1,6 @@
+FROM alpine:3.19
+
+RUN apk add --no-cache ca-certificates bash jq curl
+
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2023 StepSecurity
+Copyright (c) 2021 Martin Beentjes
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1 +1,27 @@
-# npm-get-version-action
+# StepSecurity Maintained npm-get-version-action Actions
+
+Forked from: [martinbeentjes/npm-get-version-action](https://github.com/martinbeentjes/npm-get-version-action)
+
+This GitHub Action retrieves the package version from the package.json file and sets the version in the `current-version` output value usable in your workflow file.
+
+## Example
+
+To use this action in your project, use the following:
+
+```yaml
+- name: get-npm-version
+  id: package-version
+  uses: step-security/npm-get-version-action@v1
+```
+
+The Action sets an output variable called `current-version` which can be used in a following step by using `${{ steps.package-version.outputs.current-version}}`.
+
+If you are using a monorepo or otherwise have some packages in a subdirectory of your repo, add the path to the `package.json` as a parameter:
+
+```yaml
+- name: get-npm-version
+  id: package-version
+  uses: step-security/npm-get-version-action@v1
+  with:
+    path: packages/<yourpackage>
+```

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to [email protected]

action.yml

@@ -0,0 +1,18 @@
+name: 'Get current package version'
+description: 'Get the current version of the npm package'
+branding:
+  color: 'gray-dark'
+  icon: 'align-center'
+inputs:
+  path:
+    required: false
+    default: '.'
+    description: 'Path to package.json file (directories only), e.g. packages/mypackage/'
+outputs:
+  current-version:
+    description: 'Current version defined in the package.json file'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.path }}

entrypoint.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -l
+API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription"
+
+# Set a timeout for the curl command (3 seconds)
+RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" "$API_URL" -o /dev/null) || true
+CURL_EXIT_CODE=${?}
+
+# Check if the response code is not 200
+if [ $CURL_EXIT_CODE -ne 0 ] || [ "$RESPONSE" != "200" ]; then
+    if [ -z "$RESPONSE" ] || [ "$RESPONSE" == "000" ] || [ $CURL_EXIT_CODE -ne 0 ]; then
+    echo "Timeout or API not reachable. Continuing to next step."
+    else
+    echo "Subscription is not valid. Reach out to [email protected]"
+    exit 1
+    fi
+fi
+PACKAGE_JSON_PATH="${1-.}"
+echo "Reading package.json from ${PACKAGE_JSON_PATH}/package.json"
+PACKAGE_VERSION=$(cat ${PACKAGE_JSON_PATH}/package.json | jq '.version' | tr -d '"')
+
+echo "current-version=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT