generated from insurgent-lab/javascript-lib-template
-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (117 loc) · 3.78 KB
/
test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Test
on:
push:
# ignore branches where the release workflow runs as it already calls this one
branches-ignore:
- main
- next
- dev
pull_request:
branches:
- main
- next
- dev
workflow_call:
secrets:
SONAR_TOKEN:
required: true
permissions:
contents: read
jobs:
# ignore the push event trigger if a PR is open for the current branch
prevent-duplicate-checks:
runs-on: ubuntu-latest
steps:
- uses: insurgent-lab/is-in-pr-action@129df59687402c4a9c81a9a9e88d7448cdbba541 # v0.2.0
id: isInPR
outputs:
should-run: ${{ !(steps.isInPR.outputs.result == 'true' && github.event_name == 'push') }}
test_matrix:
strategy:
matrix:
node-version: [16, 18, 20]
runs-on: ubuntu-latest
timeout-minutes: 5
needs: prevent-duplicate-checks
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install packages
run: npm ci
- name: Audit npm signatures
run: npm audit signatures
- name: Check codestyle compliance
run: npm run lint
- name: Run tests
run: npm test
- name: Upload coverage report
if: strategy.job-index == 0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: coverage-report
path: coverage/lcov.info
sonarcloud:
runs-on: ubuntu-latest
needs:
- prevent-duplicate-checks
- test_matrix
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
permissions:
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.amazonaws.com:443
github.com:443
sonarcloud.io:443
*.sonarcloud.io:443
- name: Checkout code
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Download coverage report
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: coverage-report
path: coverage/
- name: Run SonarCloud scan
uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# separate job to set as required status check in branch protection
required_check:
runs-on: ubuntu-latest
needs:
- test_matrix
- sonarcloud
if: always()
steps:
- name: All required jobs and matrix versions passed
if: ${{ !(contains(needs.*.result, 'failure')) }}
run: exit 0
- name: Some required jobs or matrix versions failed
if: ${{ contains(needs.*.result, 'failure') }}
run: exit 1