Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: Improvements to CI Workflows #1128

Merged
merged 2 commits into from
Aug 29, 2023
Merged

test: Improvements to CI Workflows #1128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4f0d8c
test: Improvements to CI Workflows
evansims Aug 28, 2023
9895c0c
Move codecov upload step to unit tests
evansims Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,15 @@ name: CodeQL

on:
merge_group:
push:
branches: ['master', 'beta', 'v1']
pull_request:
branches: ['master']
types:
- opened
- synchronize
push:
branches:
- master
- beta
- v*
schedule:
- cron: '56 12 * * 1'

Expand All @@ -14,6 +19,10 @@ permissions:
contents: read
security-events: write

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
analyze:
name: Analyze
Expand All @@ -25,6 +34,9 @@ jobs:
language: [javascript]

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- name: Checkout
uses: actions/checkout@v3

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ permissions:
contents: read
packages: write

env:
NODE_VERSION: 18

jobs:
publish-npm:
name: 'NPM'
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,31 @@ on:
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
if: (github.actor != 'dependabot[bot]')
needs: authorize # Require approval before running on forked pull requests

name: Run
name: Check for Vulnerabilities
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Snyk

on:
merge_group:
workflow_dispatch:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
6 changes: 3 additions & 3 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,6 @@ jobs:
path: .
key: ${{ env.CACHE_KEY }}

- name: Upload coverage
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]

unit:
needs: test

Expand All @@ -87,6 +84,9 @@ jobs:
- name: Run tests
run: npm run test -- --maxWorkers=2

- name: Upload coverage
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]

browserstack:
needs: test

Expand Down