forked from
npmx.dev/npmx.dev
[READ-ONLY]
a fast, modern browser for the npm registry
ci: only run provenance checks on pnpm lockfile change (#817)
Co-authored-by: Daniel Roe <daniel@roe.dev>
authored by
Wojciech Maj
Daniel Roe
and committed by
GitHub
431c2c76
4e7814a8
+7
+7
.github/workflows/provenance.yml
+7
.github/workflows/provenance.yml
···
4
4
push:
5
5
branches:
6
6
- main
7
+
paths:
8
+
- pnpm-lock.yaml
7
9
pull_request:
8
10
branches:
9
11
- main
12
+
paths:
13
+
- pnpm-lock.yaml
10
14
merge_group:
11
15
branches:
12
16
- main
17
+
13
18
permissions:
14
19
contents: read
20
+
15
21
jobs:
16
22
check-provenance:
17
23
runs-on: ubuntu-slim
···
19
25
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
20
26
with:
21
27
fetch-depth: 0
28
+
22
29
- name: Check provenance downgrades
23
30
uses: danielroe/provenance-action@41bcc969e579d9e29af08ba44fcbfdf95cee6e6c # v0.1.1
24
31
with: