Skip to content

ci: reduce the permissions for github actions jobs #49

ci: reduce the permissions for github actions jobs

ci: reduce the permissions for github actions jobs #49

Workflow file for this run

name: Tests
on:
pull_request_target:
push:
branches:
- main
workflow_dispatch:
jobs:
tests:
name: Run tests
runs-on: ubuntu-latest
environment: staging
permissions:
checks: write
steps:
- name: "build: checkout the latest changes"
uses: actions/checkout@v4
with:
persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: "build: setup the node runtime"
uses: actions/setup-node@v4
with:
cache: npm
cache-dependency-path: package-lock.json
node-version-file: .nvmrc
- name: "build: install the required dependencies"
run: npm ci
- name: "unit(test): perform lints and formatting checks"
run: npm run lint
- name: "unit(test): perform check of typings"
run: npm run check
- name: "unit(test): perform unit test checks"
run: npm test
- name: "unit(test): upload coverage to CodeCov"
uses: codecov/[email protected]
with:
directory: ./coverage
token: ${{ secrets.CODECOV_TOKEN }}
- name: "build: package code for distribution"
run: npm run build
- name: "pretest(inputs): save the push event trigger commit URL"
if: "contains(github.event_name, 'push')"
run: |
url=${{ github.event.head_commit.url }}
echo "EVENT_URL=$url" >> "$GITHUB_ENV"
- name: "pretest(inputs): save the pull request event trigger commit URL"
if: "contains(github.event_name, 'pull_request')"
run: |
url=${{ github.event.pull_request.html_url }}
echo "EVENT_URL=$url" >> "$GITHUB_ENV"
- name: "integration(wfb): send a payload to workflow builder via webhook trigger"
id: wfb
uses: ./
with:
errors: true
webhook: ${{ secrets.SLACK_WEBHOOK_TRIGGER }}
webhook-type: webhook-trigger
payload: |
author: ${{ github.event.sender.login }}
channel_id: ${{ secrets.SLACK_CHANNEL_ID }}
event_url: ${{ env.EVENT_URL}}
repo_name: ${{ github.event.repository.full_name }}
status: ${{ job.status }}
- name: "integration(wfb): confirm a payload was sent"
run: test -n "${{ steps.wfb.outputs.time }}"
- name: "integration(botToken): post a message to channel"
id: message
uses: ./
with:
errors: true
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: ":checkered_flag: Action happens at <https://github.com/${{ github.repository }}>"
- name: "integration(method): confirm a message was posted"
run: test -n "${{ steps.message.outputs.ts }}"
- name: "integration(method): post a message with blocks"
id: blocks
uses: ./
with:
errors: true
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: ":eyes: Event received..."
attachments:
- color: "dbab09"
fields:
- title: "Status"
short: true
value: "Processing"
- name: "integration(method): confirm the blocks were posted"
run: test -n "${{ steps.blocks.outputs.ts }}"
- name: "integration(method): post a threaded message"
id: timer
uses: ./
with:
errors: true
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
text: "Started at `${{ steps.blocks.outputs.time }}`"
thread_ts: "${{ steps.blocks.outputs.ts }}"
- name: "integration(incoming): confirm the thread started"
run: test -n "${{ steps.timer.outputs.time }}"
- name: "integration(method): wait to mock event processing"
run: sleep 3
- name: "integration(method): update the original message"
id: finished
uses: ./
with:
errors: true
method: chat.update
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
ts: "${{ steps.blocks.outputs.ts }}"
text: ":gear: Event processed!"
attachments:
- color: "28a745"
fields:
- title: "Status"
short: true
value: "Completed"
- name: "integration(method): post another threaded message"
id: done
uses: ./
with:
errors: true
method: chat.postMessage
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ steps.blocks.outputs.channel_id }}
text: "Finished at `${{ steps.finished.outputs.time }}`"
thread_ts: "${{ steps.timer.outputs.thread_ts }}"
- name: "integration(method): post a file into a channel"
id: file
uses: ./
with:
errors: true
method: files.uploadV2
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel_id: ${{ secrets.SLACK_CHANNEL_ID }}
initial_comment: ":robot_face: The codes exists here"
file: .github/workflows/test.yml
filename: action.yml
- name: "integration(method): react to the completed update message"
uses: ./
with:
errors: true
method: reactions.add
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: ${{ secrets.SLACK_CHANNEL_ID }}
timestamp: ${{ steps.blocks.outputs.ts }}
name: "tada"
- name: "integration(method): confirm the thread ended"
run: test -n "${{ steps.done.outputs.time }}"
- name: "integration(incoming): post a message via incoming webhook"
id: incoming
uses: ./
with:
errors: true
webhook: ${{ secrets.SLACK_INCOMING_WEBHOOK }}
webhook-type: incoming-webhook
payload: |
text: "Incoming webhook test for slack send"
blocks:
- type: section
text:
type: plain_text
text: ":link: A message was received via incoming webhook"
emoji: true
- name: "integration(incoming): confirm a webhook was posted"
run: test -n "${{ steps.incoming.outputs.time }}"
- name: "integration(incoming): reveal contents of the github payload"
run: echo $JSON
env:
JSON: ${{ toJSON(github) }}
- name: "integration(incoming): post a message via payload file"
id: payload_file
uses: ./
with:
errors: true
payload-file-path: ./.github/resources/.slack/incoming-webhook.json
payload-templated: true
webhook: ${{ secrets.SLACK_INCOMING_WEBHOOK }}
webhook-type: incoming-webhook
env:
JOB_STATUS: ${{ job.status }}
ATTACHMENT_COLOR: ${{ (job.status == 'success' && 'good') || (job.status == 'failure' && 'danger') || 'warning' }}
- name: "integration(incoming): confirm a payload file was posted"
run: test -n "${{ steps.payload_file.outputs.time }}"
- name: "chore(health): check up on recent changes to the health score"
uses: slackapi/[email protected]
with:
codecov_token: ${{ secrets.CODECOV_API_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
extension: js
include: src