fix(audit): npm audit fix (#304) #1379
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test, and Deliver Client | |
| env: | |
| do_sonarscan: >- | |
| ${{ github.event_name == 'push' || | |
| github.event.pull_request.head.repo.full_name == github.repository }} | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - release/[0-9]+.[0-9]+.[0-9]+ | |
| release: | |
| types: | |
| - created | |
| jobs: | |
| lib: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./lib | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: ${{ !fromJSON(env.do_sonarscan) && 1 || 0 }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './lib/package-lock.json' | |
| - run: npm ci | |
| - run: npm test | |
| - uses: fingerprintjs/action-coverage-report-md@v2 | |
| id: coverage-md | |
| with: | |
| srcBasePath: './' | |
| textReportPath: './lib/coverage/coverage.txt' | |
| - run: echo "${MARKDOWN_REPORT}" >>$GITHUB_STEP_SUMMARY | |
| env: | |
| MARKDOWN_REPORT: '${{ steps.coverage-md.outputs.markdownReport }}' | |
| - run: npm audit --omit dev && npm audit --audit-level high --omit dev | |
| - run: npm run license-check | |
| - run: npm run lint | |
| - run: npm pack | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: ./lib/opentdf-client-*.tgz | |
| - name: SonarCloud Scan | |
| if: fromJSON(env.do_sonarscan) | |
| uses: SonarSource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| remote-store: | |
| needs: | |
| - lib | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./remote-store | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './remote-store/package-lock.json' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: lib/ | |
| - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz | |
| - run: npm install | |
| - run: npm test | |
| - run: npm audit | |
| - run: npm run license-check | |
| - run: npm run lint | |
| - run: npm pack | |
| cli: | |
| needs: | |
| - lib | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./cli | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './cli/package-lock.json' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: lib/ | |
| - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz | |
| - run: npm test | |
| - run: npm audit --omit dev && npm audit --audit-level high --omit dev | |
| - run: npm run license-check | |
| - run: npm run lint | |
| - run: npm pack | |
| - name: Setup BATS | |
| uses: mig4/setup-bats@v1 | |
| with: | |
| bats-version: 1.2.1 | |
| - run: bats bin/opentdf.bats | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: opentdf-cli | |
| path: ./cli/opentdf-cli-*.tgz | |
| web-app: | |
| needs: | |
| - lib | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./web-app | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './web-app/package-lock.json' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: lib/ | |
| - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz | |
| - run: npm install | |
| - run: npm test | |
| - run: npm audit --omit dev && npm audit --audit-level high --omit dev | |
| - run: npm run license-check | |
| - run: npm run lint | |
| - run: npm pack | |
| scripts: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: .github/workflows | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: 🦇🦇🦇🦇🦇🦇 | |
| run: docker run --rm -v "$PWD:/mnt" --workdir "/mnt" bats/bats:1.11.0 *.bats | |
| - name: 🦪 ✔ 🧼🧼🧼 | |
| run: >- | |
| docker run --rm -v "$PWD:/mnt" --workdir "/mnt" "koalaman/shellcheck:v0.10.0" | |
| --color=always *.sh | |
| backend-roundtrip: | |
| needs: | |
| - cli | |
| - lib | |
| - web-app | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: .github/workflows/roundtrip | |
| timeout-minutes: 45 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './web-app/package-lock.json' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: lib/ | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-cli | |
| path: cli/ | |
| - uses: yokawasa/[email protected] | |
| with: | |
| setup-tools: | | |
| kubectl | |
| helm | |
| tilt | |
| # This should be in sync with the minikube-deployed kube version below | |
| kubectl: '1.30.0' | |
| helm: '3.14.4' | |
| tilt: '0.33.13' | |
| - run: | | |
| kubectl version --client | |
| kustomize version | |
| tilt version | |
| - name: start minikube | |
| id: minikube | |
| uses: medyagh/setup-minikube@master | |
| with: | |
| minikube-version: 1.33.0 | |
| # This should be in sync with the setup-tools version above | |
| kubernetes-version: 1.30.0 | |
| - name: Run tilt ci | |
| env: | |
| TEST_SCRIPT: ./wait-and-test.sh backend | |
| OPENTDF_INGRESS_HOST_PORT: '5432' | |
| PLAYWRIGHT_TESTS_TO_RUN: roundtrip | |
| run: tilt ci | |
| platform-roundtrip: | |
| needs: | |
| - cli | |
| - lib | |
| - web-app | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: .github/workflows/roundtrip | |
| timeout-minutes: 45 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: './web-app/package-lock.json' | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-client-lib | |
| path: lib/ | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: opentdf-cli | |
| path: cli/ | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: '1.22' | |
| - name: Git clone backend | |
| run: | | |
| git clone --single-branch --branch PLAT-3082-nanotdf-encrypt --depth 1 https://github.com/opentdf/platform.git \ | |
| || git clone --depth 1 https://github.com/opentdf/platform.git | |
| go work init | |
| for x in platform/{protocol/go,lib/{fixtures,ocrypto},sdk,service}; do go work use "$x"; done | |
| - run: docker compose up -d --wait --wait-timeout 240 | |
| - env: | |
| PLAYWRIGHT_TESTS_TO_RUN: roundtrip | |
| run: |- | |
| ./wait-and-test.sh platform | |
| deliver-ghp: | |
| needs: | |
| - lib | |
| - cli | |
| - web-app | |
| - scripts | |
| - backend-roundtrip | |
| - platform-roundtrip | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| # To publish from a release or feature branch, remove the ref == condition below | |
| if: >- | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/')) || | |
| (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')) | |
| outputs: | |
| FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }} | |
| DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }} | |
| TARGET_VERSION: ${{ steps.check-version.outputs.TARGET_VERSION }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: https://npm.pkg.github.com | |
| - name: Check version number is same between tag, library, and/or release | |
| id: check-version | |
| run: |- | |
| if [[ ${{ github.ref }} = refs/heads/release/* ]]; then | |
| scripts/check-version-is.sh "${GITHUB_REF##*release/}" | |
| elif [[ ${{ github.ref }} = refs/tags/v* ]]; then | |
| scripts/check-version-is.sh "${GITHUB_REF_NAME#v}" | |
| else | |
| scripts/check-version-is.sh | |
| fi | |
| - name: Check version number is same between tag, library, and/or release | |
| id: guess-build-metadata | |
| run: |- | |
| echo "FULL_VERSION=$(.github/workflows/gh-semver.sh)" >> $GITHUB_OUTPUT | |
| echo "DIST_TAG=$(.github/workflows/guess-dist-tag.sh)" >> $GITHUB_OUTPUT | |
| - run: make test | |
| - run: make doc | |
| - run: >- | |
| echo "::notice file=lib/package.json::Will be published to | |
| [GitHub Packages](https://github.com/opentdf/client-web/pkgs/npm/client) | |
| as ${{ steps.guess-build-metadata.outputs.DIST_TAG }} | |
| with version=[${{ steps.guess-build-metadata.outputs.FULL_VERSION }}]" | |
| - run: >- | |
| .github/workflows/publish-to.sh | |
| "${{ steps.guess-build-metadata.outputs.FULL_VERSION }}" | |
| "${{ steps.guess-build-metadata.outputs.DIST_TAG }}" | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - run: echo "- [Client Library](https://github.com/opentdf/client-web/pkgs/npm/client)">>$GITHUB_STEP_SUMMARY | |
| - run: echo "- [Command Line Tool](https://github.com/opentdf/client-web/pkgs/npm/cli)">>$GITHUB_STEP_SUMMARY | |
| - name: trigger xtest | |
| run: >- | |
| curl -XPOST -u "virtru-cloudnative:${{secrets.PERSONAL_ACCESS_TOKEN}}" | |
| -H "Accept: application/vnd.github.everest-preview+json" | |
| -H "Content-Type: application/json" | |
| "https://api.github.com/repos/opentdf/backend/dispatches" | |
| --data '{"event_type":"xtest","client_payload":{"version":"'${FULL_VERSION%%+*}'"}}' | |
| env: | |
| FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }} | |
| - name: Publish documentation to gh-pages | |
| uses: JamesIves/[email protected] | |
| with: | |
| branch: gh-pages | |
| folder: lib/dist/docs | |
| deliver-npmjs: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| environment: npmjs | |
| needs: deliver-ghp | |
| if: >- | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/')) || | |
| (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')) | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| - run: make all | |
| - run: >- | |
| .github/workflows/publish-to.sh | |
| "${{ needs.deliver-ghp.outputs.FULL_VERSION }}" | |
| "${{ needs.deliver-ghp.outputs.DIST_TAG }}" | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| - run: >- | |
| echo "- [Client Library](https://www.npmjs.com/package/@opentdf/client/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY | |
| - run: >- | |
| echo "- [Remote Store](https://www.npmjs.com/package/@opentdf/remote-store/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY | |
| - run: >- | |
| echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/cli/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY | |
| - run: >- | |
| echo "- [unpkg](https://unpkg.com/browse/@opentdf/client@${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY |