Skip to content

Commit

Permalink
test: Migrate CI to GitHub Actions [SDK-4451] (#372)
Browse files Browse the repository at this point in the history
  • Loading branch information
evansims authored Sep 20, 2023
2 parents aaabf64 + f1241b7 commit 2d7af05
Show file tree
Hide file tree
Showing 8 changed files with 388 additions and 8 deletions.
24 changes: 24 additions & 0 deletions .github/actions/build/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Build package
description: Build the SDK package

inputs:
node:
description: The Node version to use
required: false
default: 18

runs:
using: composite

steps:
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ inputs.node }}
cache: npm

- name: Install dependencies
shell: bash
run: npm ci
env:
NODE_ENV: development
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'daily'
53 changes: 53 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: CodeQL

on:
merge_group:
pull_request:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '37 10 * * 2'

permissions:
actions: read
contents: read
security-events: write

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
analyze:
name: Check for Vulnerabilities
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
language: [javascript]

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- name: Checkout
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: '/language:${{ matrix.language }}'
7 changes: 7 additions & 0 deletions .github/workflows/matrix.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"include": [
{ "node": "18" },
{ "node": "16" },
{ "node": "14" }
]
}
109 changes: 109 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Publish Release

on:
workflow_dispatch:
inputs:
branch:
description: The branch to release from
required: true
default: master
version:
description: The version being published. This should be a valid semver version, such as `1.0.0`.
required: true
default: ""
type: string
dry-run:
type: boolean
description: Perform a publishing dry run. This will not publish the release, but will validate the release and log the commands that would be run.
default: false

permissions:
contents: read
id-token: write # For publishing to NPM with provenance. Allows developers to run `npm audit signatures` and verify release signature of SDK. @see https://github.blog/2023-04-19-introducing-npm-package-provenance/
packages: write # For cross-publishing to GitHub Packages registry.

env:
NODE_VERSION: 18
NODE_ENV: development

jobs:
configure:
name: Validate input parameters
runs-on: ubuntu-latest

outputs:
vtag: ${{ steps.vtag.outputs.vtag }} # The fully constructed release tag to use for publishing
dry-run: ${{ steps.dry-run.outputs.dry-run }} # The dry-run flag to use for publishing, if applicable

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.inputs.branch }}

# Configure for dry-run, if applicable. @see https://docs.npmjs.com/cli/v9/commands/npm-publish#dry-run
- id: dry-run
if: ${{ github.event.inputs.dry-run == 'true' }}
name: Configure for `--dry-run`
run: |
echo "dry-run=--dry-run" >> $GITHUB_ENV
echo "dry-run=--dry-run" >> $GITHUB_OUTPUT
# Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
- name: Build tag
id: vtag
run: |
PACKAGE_VERSION="${{ github.event.inputs.version }}"
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
# Ensure tag does not already exist.
- name: Validate version
uses: actions/github-script@v6
env:
vtag: ${{ env.vtag }}
with:
script: |
const releaseMeta = github.rest.repos.listReleases.endpoint.merge({
owner: context.repo.owner,
repo: context.repo.repo,
});
const releases = await github.paginate(releaseMeta);
for (const release of releases) {
if (release.name === process.env.vtag) {
throw new Error(`${process.env.vtag} already exists`);
}
}
console.log(`${process.env.vtag} does not exist. Proceeding with release.`)
publish-npm:
needs: configure

name: Publish to NPM
runs-on: ubuntu-latest
environment: "release"

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.inputs.branch }}

- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm

- name: Install dependencies
run: npm ci

- name: Publish release to NPM
run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
41 changes: 33 additions & 8 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,48 @@
name: Semgrep

on:
pull_request: {}

merge_group:
pull_request_target:
types:
- opened
- synchronize
push:
branches: ["master", "main"]

branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
semgrep:
name: Scan
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
needs: authorize # Require approval before running on forked pull requests

name: Check for Vulnerabilities
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')

steps:
- uses: actions/checkout@v3
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- run: semgrep ci
env:
Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Snyk

on:
merge_group:
workflow_dispatch:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Loading

0 comments on commit 2d7af05

Please sign in to comment.