From 08b1ebee3bdaca2cbefd250eac51531555f58eb1 Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Sat, 25 Jun 2022 08:43:31 +0300 Subject: [PATCH] Update workflows --- .github/codeql-config.yml | 10 ++++ .github/workflows/build.yml | 15 +++-- .github/workflows/codeql-analysis.yml | 43 ++++++++++++++ .github/workflows/dependency-review.yml | 26 +++++++++ .github/workflows/npm-publish.yml | 77 +++++-------------------- .github/workflows/package-audit.yml | 5 ++ .github/workflows/push-tag.yml | 50 ++++------------ .github/workflows/sonarscan.yml | 49 +++------------- 8 files changed, 125 insertions(+), 150 deletions(-) create mode 100644 .github/codeql-config.yml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml new file mode 100644 index 0000000..8adc469 --- /dev/null +++ b/.github/codeql-config.yml @@ -0,0 +1,10 @@ +name: CodeQL Config + +paths: + - lib + +paths-ignore: + - node_modules + +queries: + - uses: security-and-quality diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1c6aa9d..8dfbbcc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,22 +4,25 @@ name: Build and Test on: push: branches: - - '**' + - "**" workflow_dispatch: +permissions: + contents: read + jobs: build: + name: Build and test (Node ${{ matrix.node.name }}) runs-on: ubuntu-latest if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} strategy: matrix: node: - - '14' - - '16' - - '18' - name: Build and test (Node ${{ matrix.node }}) + - { name: Current, version: current } + - { name: LTS, version: lts/* } + - { name: Previous LTS, version: lts/-1 } steps: - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master with: - node-version: ${{ matrix.node }} + node-version: ${{ matrix.node.version }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..c3c561c --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,43 @@ +name: CodeQL Analysis + +on: + push: + branches: + - master + pull_request: + branches: + - master + paths: + - "lib/**.ts" + - ".github/workflows/codeql-analysis.yml" + schedule: + - cron: '24 2 * * 6' + +permissions: + contents: read + +jobs: + analyze: + name: Static Code Analysis with CodeQL + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: + - javascript + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql-config.yml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..0cd9fb0 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,26 @@ +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Review Dependencies + steps: + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # tag=v1.4.3 + with: + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + + - name: Check out the source code + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 + + - name: Review dependencies + uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # tag=v2 diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 6f898c1..a9aeee3 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -15,45 +15,26 @@ on: description: Publish to GPR? required: true +permissions: + contents: read + jobs: prepare: - name: Prepare the source code + name: Prepare source code runs-on: ubuntu-latest if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' steps: - - name: Checkout source - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 - with: - ref: ${{ github.event.release.tag_name }} - - - name: Set up Node.js environment - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0 - with: - node-version: lts/* - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Run postinstall scripts - run: npm rebuild && npm run prepare --if-present - - - name: Create tarball - run: npm pack - - - name: Save tarball - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3 - with: - name: package - path: "*.tgz" - retention-days: 1 + - name: Prepare source + uses: myrotvorets/composite-actions/node-prepublish@master publish: - name: Publish package + name: Publish package (${{ matrix.registry }}) runs-on: ubuntu-latest needs: prepare + permissions: + contents: read + packages: write + statuses: write strategy: matrix: registry: @@ -67,39 +48,9 @@ jobs: secret: GITHUB_TOKEN registry_url: https://npm.pkg.github.com/ steps: - - name: Set commit status to PENDING - uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - status: pending - context: Publish to ${{ matrix.registry }} - sha: ${{ github.sha }} - if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' - - - name: Set up Node.js environment - if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0 + - name: Publish package + uses: myrotvorets/composite-actions/node-publish@master with: - node: lts/* + node-auth-token: ${{ secrets[matrix.secret] }} registry-url: ${{ matrix.registry_url }} - - - name: Download tarball - if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3 - with: - name: package - - - name: Publish package if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release' - run: npm publish *.tgz - env: - NODE_AUTH_TOKEN: ${{ secrets[matrix.secret] }} - - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - status: ${{ job.status }} - context: Publish to ${{ matrix.registry }} - sha: ${{ github.sha }} - if: always() && (github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release') diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index c2f03ff..70c6eba 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -2,12 +2,17 @@ name: Package Audit on: push: + branches: + - '**' paths: - package.json - package-lock.json - .github/workflows/package-audit.yml workflow_dispatch: +permissions: + contents: read + jobs: audit-npm: name: NPM Audit diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index db9e9eb..e1c408c 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -3,60 +3,32 @@ name: Pre-release Testing on: push: tags: - - "*" + - "**" + +permissions: + contents: read jobs: build: name: Build and test runs-on: ubuntu-latest steps: - - name: Check out the code - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 - - - name: Set up Node.js environment - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0 - with: - node-version: lts/* - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Run postinstall scripts - run: npm rebuild && npm run prepare --if-present - - - name: Run tests - run: npm test - env: - COLLECT_COVERAGE: "0" + - name: Build and test + uses: myrotvorets/composite-actions/build-test-nodejs@master release: name: Prepare the release runs-on: ubuntu-latest needs: build - + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 - - name: Fetch tags - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* - - - name: Get release description - id: release_params - run: | - SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")" - BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")" - echo "::set-output name=subject::${SUBJECT}" - echo "::set-output name=body::${BODY}" - - name: Create a release - uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # renovate: tag=v1.1.4 + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14 + with: + generate_release_notes: true env: GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: ${{ steps.release_params.subject }} - body: ${{ steps.release_params.body }} diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index 0fe7606..8a6b7c7 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -9,8 +9,12 @@ on: - master workflow_dispatch: +permissions: + contents: read + env: SONARSCANNER: "true" + COLLECT_COVERAGE: "1" jobs: build: @@ -21,46 +25,7 @@ jobs: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' || github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]') steps: - - name: Check out the source code - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 - with: - fetch-depth: 0 - - - name: Set up Node.js environment - uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0 - with: - node-version: lts/* - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Run postinstall scripts - run: npm rebuild && npm run prepare --if-present - - - name: Run tests - run: npm test - env: - COLLECT_COVERAGE: "1" - - - name: Retrieve information from package.json - uses: myrotvorets/info-from-package-json-action@ac520d803506a6f636b89cf1c1b63dd6c2d7d053 # tag=1.1.1 - id: ver - - - name: Fix paths in test-report.xml - run: sed -i "s@$(pwd)@/github/workspace@g" test-report.xml - - - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Run SonarCloud analysis + uses: myrotvorets/composite-actions/node-sonarscan@master with: - args: > - -Dsonar.projectName=${{ steps.ver.outputs.packageName }} - -Dsonar.projectVersion=${{ steps.ver.outputs.packageVersion }} - -Dsonar.links.homepage=${{ steps.ver.outputs.packageHomepage }} - -Dsonar.links.issue=${{ steps.ver.outputs.packageBugsUrl }} - -Dsonar.links.scm=${{ steps.ver.outputs.packageScmUrl }} + sonar-token: ${{ secrets.SONAR_TOKEN }}