From eca7d9622a1eaafbfc338e2d0c58038cf83dc34c Mon Sep 17 00:00:00 2001
From: Josh Rose <josh@etch.co>
Date: Wed, 3 Jul 2024 20:04:26 +0200
Subject: [PATCH] ci: bring ci workflow into line with our current standards

---
 .github/mergify.yml      | 38 ++++++++++++++++++++++++++
 .github/workflows/ci.yml | 58 +++++++++++++++++++++++++++++++---------
 .megalinter.yml          | 42 +++++++++++++++++++++++++++++
 .mergify.yml             | 30 ---------------------
 .npmrc                   |  3 +++
 .trufflehog-ignore       |  6 +++++
 package.json             |  4 +--
 7 files changed, 135 insertions(+), 46 deletions(-)
 create mode 100644 .github/mergify.yml
 create mode 100644 .megalinter.yml
 delete mode 100644 .mergify.yml
 create mode 100644 .npmrc
 create mode 100644 .trufflehog-ignore

diff --git a/.github/mergify.yml b/.github/mergify.yml
new file mode 100644
index 0000000..7e1413b
--- /dev/null
+++ b/.github/mergify.yml
@@ -0,0 +1,38 @@
+---
+pull_request_rules:
+  - name: Automatically merge security pull requests
+    conditions:
+      - author=dependabot[bot]
+      - label!=wontfix
+      - check-success=🔨 Build
+      - check-success=🧪 Test
+      - check-success=👩‍🎤 Playwright Tests
+      - check-success=🧹 Lint
+      - check-success=SonarCloud Code Analysis
+    actions:
+      review:
+        type: APPROVE
+        message: Automatically approving dependabot
+      merge:
+        method: merge
+  - name: Automatically merge when all checks pass and the PR has been approved
+    conditions:
+      - check-success=🔨 Build
+      - check-success=🧪 Test
+      - check-success=🧹 Lint
+      - check-success=SonarCloud Code Analysis
+      - "#review-requested=0"
+      - "#approved-reviews-by>=1"
+    actions:
+      merge:
+        method: merge
+  - name: Ask for reviews
+    conditions:
+      - -closed
+      - -draft
+      - -author=dependabot[bot]
+    actions:
+      request_reviews:
+        teams:
+          - devs
+        random_count: 1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 172acf1..a631e8a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,19 +1,51 @@
-name: CI
-
+---
+name: 👮 CI
 on:
-  push:
   pull_request:
-
+    branches: [main]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions: read-all
 jobs:
   build:
+    name: 🔨 Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - name: Setup node
-      uses: actions/setup-node@v3
-      with:
-        node-version: 16.18.1
-        cache: 'npm'
-    - run: npm ci --no-audit --prefer-offline
-    - run: npm run build
-    - run: npm test
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+  test:
+    name: 🧪 Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+      - run: npm ci
+      - run: npm test
+  lint:
+    name: 🧹 Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+      - run: npm ci
+      - uses: oxsecurity/megalinter/flavors/javascript@v7
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.megalinter.yml b/.megalinter.yml
new file mode 100644
index 0000000..a68b613
--- /dev/null
+++ b/.megalinter.yml
@@ -0,0 +1,42 @@
+# Configuration file for MegaLinter
+#
+# See all available variables at https://megalinter.io/latest/config-file/ and in
+# linters documentation
+---
+APPLY_FIXES: none
+
+DISABLE:
+  - COPYPASTE
+  - SPELL
+
+DISABLE_LINTERS:
+  # We use stylelint for CSS and SCSS linting
+  - CSS_SCSS_LINT
+  # Disable in favour of eslint
+  - JAVASCRIPT_STANDARD
+  # We use dependabot for vulnerability monitoring and patching
+  - REPOSITORY_GRYPE
+  # Not needed in this repository
+  - REPOSITORY_TRIVY
+  # Disable in favour of eslint
+  - TYPESCRIPT_STANDARD
+  # Link check flags localhost links in the contributing docs
+  - MARKDOWN_MARKDOWN_LINK_CHECK
+  # V8R keeps giving false positives
+  - YAML_V8R
+
+SHOW_ELAPSED_TIME: true
+
+FILEIO_REPORTER: false
+
+# Config paths
+CSS_STYLELINT_CONFIG_FILE: stylelint.config.js
+JAVASCRIPT_ES_CONFIG_FILE: .eslintrc
+TYPESCRIPT_ES_CONFIG_FILE: .eslintrc
+
+# Executable overrides
+CSS_STYLELINT_CLI_EXECUTABLE: ['./node_modules/.bin/stylelint']
+
+# Linters configuration
+REPOSITORY_GITLEAKS_DISABLE_ERRORS: true
+REPOSITORY_TRUFFLEHOG_ARGUMENTS: --exclude_paths .trufflehog-ignore
diff --git a/.mergify.yml b/.mergify.yml
deleted file mode 100644
index 2c04215..0000000
--- a/.mergify.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-pull_request_rules:
-  - name: Auto request reviews
-    conditions:
-      - author~=!^dependabot(|-preview)\[bot\]$
-    actions:
-      request_reviews:
-        users:
-          - DanWebb
-          - gavmck
-        random_count: 1
-  - name: Autosquash when checks pass and reviews are approved
-    conditions:
-      - and:
-        - author~=!^dependabot(|-preview)\[bot\]$
-        - label!=wontfix
-        - check-success=build
-        - check-success=SonarCloud Code Analysis 
-        - "#approved-reviews-by>=1"
-    actions:
-      merge:
-        method: squash
-  - name: Autosquash security updates when checks pass
-    conditions:
-      - author~=^dependabot(|-preview)\[bot\]$
-      - label!=wontfix
-      - check-success=build
-      - check-success=SonarCloud Code Analysis 
-    actions:
-      merge:
-        method: squash
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..f16eabe
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,3 @@
+audit=false
+noFund=true
+preferOffline=true
diff --git a/.trufflehog-ignore b/.trufflehog-ignore
new file mode 100644
index 0000000..c8e6af6
--- /dev/null
+++ b/.trufflehog-ignore
@@ -0,0 +1,6 @@
+node_modules
+.git
+dist
+example/.next
+example/node_modules
+example/next-env.d.ts
diff --git a/package.json b/package.json
index 80b217c..48fbb36 100644
--- a/package.json
+++ b/package.json
@@ -15,9 +15,7 @@
     "build": "microbundle-crl --no-compress --format modern,cjs",
     "start": "microbundle-crl watch --no-compress --format modern,cjs",
     "prepare": "run-s build",
-    "test": "run-s test:types test:unit test:lint test:build",
-    "test:build": "run-s build",
-    "test:lint": "eslint .",
+    "test": "run-s test:types test:unit",
     "test:unit": "cross-env CI=1 react-scripts test --env=jsdom",
     "test:watch": "react-scripts test --env=jsdom",
     "test:types": "tsc",