use harden runner in ci, fix publish

dominikg · dominikg · commit e102191698ce · 2025-09-25T11:42:57.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,6 +32,15 @@ jobs:
         node: [24]
         os: [ubuntu-latest]
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: 'false'
@@ -91,6 +100,15 @@ jobs:
             vite: 'rolldown-vite'
             svelte: 'current'
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: 'false'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -63,6 +63,7 @@ jobs:
           publish: pnpm exec changeset tag #only create git tag, publish to registry happens later
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # needed for some github api calls changesets makes
+
   publish:
     needs: changesets
     if: needs.changesets.outputs.published == 'true'
@@ -103,6 +104,7 @@ jobs:
             TAG=latest
           fi
 
+          GIT_STATUS=$(git status --porcelain=v1)
           if [[ "$GIT_STATUS" != "" ]]; then
             echo "dirty git state, aborting publish"
             echo "$GIT_STATUS";
diff --git a/package.json b/package.json
@@ -17,7 +17,6 @@
     "lint": "pnpm check:lint --fix",
     "format": "pnpm check:format --write",
     "fixup": "run-s lint format",
-    "release": "pnpm changeset publish",
     "prepare": "husky",
     "playwright": "playwright-core",
     "generate:types": "pnpm --filter \"./packages/*\" --parallel generate:types",
