From eb205a72d468441b6e03afdbc8e2d90df6f243a8 Mon Sep 17 00:00:00 2001
From: Chris Markiewicz <effigies@gmail.com>
Date: Mon, 26 Aug 2024 14:55:08 -0400
Subject: [PATCH] chore(ci): Run Deno tests with/without network access

---
 .github/workflows/deno_tests.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deno_tests.yml b/.github/workflows/deno_tests.yml
index 4f10a3314..0dc8eea91 100644
--- a/.github/workflows/deno_tests.yml
+++ b/.github/workflows/deno_tests.yml
@@ -39,10 +39,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-22.04, macos-12, windows-2022]
+        allow-net: [true, false]
       fail-fast: false
     defaults:
       run:
         working-directory: ./bids-validator
+        shell: bash
 
     steps:
       - uses: actions/checkout@v4
@@ -51,7 +53,13 @@ jobs:
       - uses: denoland/setup-deno@v1
         with:
           deno-version: v1.x
-      - run: deno test --allow-all --coverage=cov/ src/
+      - name: Set permissions with network access
+        run: echo 'PERMS=--allow-read --allow-write --allow-env --allow-run --allow-net' >> $GITHUB_ENV
+        if: ${{ matrix.allow-net }}
+      - name: Set permissions without network access
+        run: echo 'PERMS=--allow-read --allow-write --allow-env --allow-run --deny-net' >> $GITHUB_ENV
+        if: ${{ ! matrix.allow-net }}
+      - run: deno test $PERMS --coverage=cov/ src/
       - name: Collect coverage
         run: deno coverage cov/ --lcov --output=coverage.lcov
         if: ${{ always() }}