Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: Migrate CI to GitHub Actions #467

Merged
merged 1 commit into from
Sep 11, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/actions/build/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Build package
description: Build the SDK package

inputs:
node:
description: The Node version to use
required: false
default: 18

runs:
using: composite

steps:
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ inputs.node }}
cache: 'npm'

- name: Install dependencies
shell: bash
run: npm ci

- name: Build package
shell: bash
run: npm run build:prod
9 changes: 4 additions & 5 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'daily'
55 changes: 55 additions & 0 deletions .github/workflows/browserstack.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Browserstack

on:
merge_group:
workflow_dispatch:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

env:
NODE_VERSION: 18
CACHE_KEY: '${{ github.event.pull_request.head.sha || github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}'

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

browserstack:
needs: authorize # Require approval before running on forked pull requests

name: BrowserStack Tests
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- name: Build package
uses: ./.github/actions/build
with:
node: ${{ env.NODE_VERSION }}

- name: Run tests
shell: bash
run: npx concurrently --kill-others --success first 'npm run start:local:oidc' 'npx wait-on tcp:127.0.0.1:3000 && npm run start:local:playground' 'npx wait-on tcp:127.0.0.1:4200 && npx browserstack-cypress-cli run --build-name ${{ github.ref }}-${{ github.sha }}"
env:
BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
38 changes: 25 additions & 13 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -1,30 +1,42 @@
name: "CodeQL"
name: CodeQL

on:
push:
branches: [ "master", "beta" ]
merge_group:
pull_request:
branches: [ "master" ]
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: "7 5 * * 0"
- cron: '37 10 * * 2'

permissions:
actions: read
contents: read
security-events: write

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
analyze:
name: Analyze
name: Check for Vulnerabilities
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ javascript ]
language: [javascript]

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
Expand All @@ -38,4 +50,4 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"
category: '/language:${{ matrix.language }}'
137 changes: 137 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
name: Publish Release

on:
workflow_dispatch:
inputs:
branch:
description: The branch to release from
required: true
default: master
version:
description: The version being published. This should be a valid semver version, such as `1.0.0`.
required: true
default: ''
type: string
dry-run:
type: boolean
description: Perform a publishing dry run. This will not publish the release, but will validate the release and log the commands that would be run.
default: false

permissions:
contents: read
id-token: write # For publishing to NPM with provenance. Allows developers to run `npm audit signatures` and verify release signature of SDK. @see https://github.blog/2023-04-19-introducing-npm-package-provenance/
packages: write # For cross-publishing to GitHub Packages registry.

env:
NODE_VERSION: 18
NODE_ENV: development

jobs:
configure:
name: Validate input parameters
runs-on: ubuntu-latest

outputs:
vtag: ${{ steps.vtag.outputs.vtag }} # The fully constructed release tag to use for publishing
dry-run: ${{ steps.dry-run.outputs.dry-run }} # The dry-run flag to use for publishing, if applicable

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.inputs.branch }}

# Configure for dry-run, if applicable. @see https://docs.npmjs.com/cli/v9/commands/npm-publish#dry-run
- id: dry-run
if: ${{ github.event.inputs.dry-run == 'true' }}
name: Configure for `--dry-run`
run: |
echo "dry-run=--dry-run" >> $GITHUB_ENV
echo "dry-run=--dry-run" >> $GITHUB_OUTPUT

# Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
- name: Build tag
id: vtag
run: |
PACKAGE_VERSION="${{ github.event.inputs.version }}"
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT

# Ensure tag does not already exist.
- name: Validate version
uses: actions/github-script@v6
env:
vtag: ${{ env.vtag }}
with:
script: |
const releaseMeta = github.rest.repos.listReleases.endpoint.merge({
owner: context.repo.owner,
repo: context.repo.repo,
});

const releases = await github.paginate(releaseMeta);

for (const release of releases) {
if (release.name === process.env.vtag) {
throw new Error(`${process.env.vtag} already exists`);
}
}

console.log(`${process.env.vtag} does not exist. Proceeding with release.`)

publish-npm:
needs: configure

name: Publish to NPM
runs-on: ubuntu-latest
environment: release

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.inputs.branch }}

- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm

- name: Install dependencies
run: npm ci

- name: Publish release to NPM
run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

publish-gh:
needs:
- configure
- publish-npm # Don't publish to GitHub Packages until publishing to NPM is successfully completed

name: Publish to GitHub Packages
runs-on: ubuntu-latest
environment: release

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: 'https://npm.pkg.github.com'
cache: npm

- name: Install dependencies
run: npm ci

- name: Publish release to GitHub Packages
run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
41 changes: 33 additions & 8 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,48 @@
name: Semgrep

on:
pull_request: {}

merge_group:
pull_request_target:
types:
- opened
- synchronize
push:
branches: ["master", "main"]

branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
semgrep:
name: Scan
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
needs: authorize # Require approval before running on forked pull requests

name: Check for Vulnerabilities
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')

steps:
- uses: actions/checkout@v3
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- run: semgrep ci
env:
Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Snyk

on:
merge_group:
workflow_dispatch:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Loading