Update workflows

myrotvorets · Jun 25, 2022 · 08b1ebe · 08b1ebe
1 parent d357131
commit 08b1ebe
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 150 deletions.
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,10 @@
+name: CodeQL Config
+
+paths:
+  - lib
+
+paths-ignore:
+  - node_modules
+
+queries:
+  - uses: security-and-quality
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,22 +4,25 @@ name: Build and Test
 on:
   push:
     branches:
-      - '**'
+      - "**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    name: Build and test (Node ${{ matrix.node.name }})
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
     strategy:
       matrix:
         node:
-          - '14'
-          - '16'
-          - '18'
-    name: Build and test (Node ${{ matrix.node }})
+          - { name: Current,      version: current }
+          - { name: LTS,          version: lts/* }
+          - { name: Previous LTS, version: lts/-1 }
     steps:
       - name: Build and test
         uses: myrotvorets/composite-actions/build-test-nodejs@master
         with:
-          node-version: ${{ matrix.node }}
+          node-version: ${{ matrix.node.version }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,43 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "lib/**.ts"
+      - ".github/workflows/codeql-analysis.yml"
+  schedule:
+    - cron: '24 2 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Static Code Analysis with CodeQL
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,26 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # tag=v1.4.3
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
+      - name: Check out the source code
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Review dependencies
+        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # tag=v2
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -15,45 +15,26 @@ on:
         description: Publish to GPR?
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
-    name: Prepare the source code
+    name: Prepare source code
     runs-on: ubuntu-latest
     if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
     steps:
-      - name: Checkout source
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-        with:
-          ref: ${{ github.event.release.tag_name }}
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: lts/*
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Create tarball
-        run: npm pack
-
-      - name: Save tarball
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3
-        with:
-          name: package
-          path: "*.tgz"
-          retention-days: 1
+      - name: Prepare source
+        uses: myrotvorets/composite-actions/node-prepublish@master
 
   publish:
-    name: Publish package
+    name: Publish package (${{ matrix.registry }})
     runs-on: ubuntu-latest
     needs: prepare
+    permissions:
+      contents: read
+      packages: write
+      statuses: write
     strategy:
       matrix:
         registry:
@@ -67,39 +48,9 @@ jobs:
             secret: GITHUB_TOKEN
             registry_url: https://npm.pkg.github.com/
     steps:
-      - name: Set commit status to PENDING
-        uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          status: pending
-          context: Publish to ${{ matrix.registry }}
-          sha: ${{ github.sha }}
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-
-      - name: Set up Node.js environment
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
+      - name: Publish package
+        uses: myrotvorets/composite-actions/node-publish@master
         with:
-          node: lts/*
+          node-auth-token: ${{ secrets[matrix.secret] }}
           registry-url: ${{ matrix.registry_url }}
-
-      - name: Download tarball
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3
-        with:
-          name: package
-
-      - name: Publish package
         if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        run: npm publish *.tgz
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets[matrix.secret] }}
-
-      - name: Set final commit status
-        uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          status: ${{ job.status }}
-          context: Publish to ${{ matrix.registry }}
-          sha: ${{ github.sha }}
-        if: always() && (github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release')
diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
@@ -2,12 +2,17 @@ name: Package Audit
 
 on:
   push:
+    branches:
+      - '**'
     paths:
       - package.json
       - package-lock.json
       - .github/workflows/package-audit.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   audit-npm:
     name: NPM Audit

diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -3,60 +3,32 @@ name: Pre-release Testing
 on:
   push:
     tags:
-      - "*"
+      - "**"
+
+permissions:
+  contents: read
 
 jobs:
   build:
     name: Build and test
     runs-on: ubuntu-latest
     steps:
-      - name: Check out the code
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: lts/*
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Run tests
-        run: npm test
-        env:
-          COLLECT_COVERAGE: "0"
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@master
 
   release:
     name: Prepare the release
     runs-on: ubuntu-latest
     needs: build
-
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
-      - name: Fetch tags
-        run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-
-      - name: Get release description
-        id: release_params
-        run: |
-          SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")"
-          BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")"
-          echo "::set-output name=subject::${SUBJECT}"
-          echo "::set-output name=body::${BODY}"
-
       - name: Create a release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # renovate: tag=v1.1.4
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
+        with:
+          generate_release_notes: true
         env:
           GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ steps.release_params.subject }}
-          body: ${{ steps.release_params.body }}
diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml
@@ -9,8 +9,12 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   SONARSCANNER: "true"
+  COLLECT_COVERAGE: "1"
 
 jobs:
   build:
@@ -21,46 +25,7 @@ jobs:
       github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' ||
       github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]')
     steps:
-      - name: Check out the source code
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: lts/*
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Run tests
-        run: npm test
-        env:
-          COLLECT_COVERAGE: "1"
-
-      - name: Retrieve information from package.json
-        uses: myrotvorets/info-from-package-json-action@ac520d803506a6f636b89cf1c1b63dd6c2d7d053 # tag=1.1.1
-        id: ver
-
-      - name: Fix paths in test-report.xml
-        run: sed -i "s@$(pwd)@/github/workspace@g" test-report.xml
-
-      - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Run SonarCloud analysis
+        uses: myrotvorets/composite-actions/node-sonarscan@master
         with:
-          args: >
-            -Dsonar.projectName=${{ steps.ver.outputs.packageName }}
-            -Dsonar.projectVersion=${{ steps.ver.outputs.packageVersion }}
-            -Dsonar.links.homepage=${{ steps.ver.outputs.packageHomepage }}
-            -Dsonar.links.issue=${{ steps.ver.outputs.packageBugsUrl }}
-            -Dsonar.links.scm=${{ steps.ver.outputs.packageScmUrl }}
+          sonar-token: ${{ secrets.SONAR_TOKEN }}