Merge pull request #341 from myrotvorets/update-workflows

Update workflows
myrotvorets · Jun 25, 2022 · 6e93155 · 6e93155
2 parents 6c17ae8 + 360dc23
commit 6e93155
Show file tree

Hide file tree

Showing 8 changed files with 136 additions and 208 deletions.
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,10 @@
+name: CodeQL Config
+
+paths:
+  - lib
+
+paths-ignore:
+  - node_modules
+
+queries:
+  - uses: security-and-quality
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,44 +1,28 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Build and Test
 
 on:
   push:
     branches:
-      - '**'
+      - "**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    name: Build and test (Node ${{ matrix.node.name }})
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }}
     strategy:
       matrix:
         node:
-          - '14'
-          - '16'
-          - '18'
-    name: Build and test (Node ${{ matrix.node }})
+          - { name: Current,      version: current }
+          - { name: LTS,          version: lts/* }
+          - { name: Previous LTS, version: lts/-1 }
     steps:
-      - name: Check out the code
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@master
         with:
-          node-version: ${{ matrix.node }}
-          cache: npm
-
-      - name: Update npm
-        run: npm i -g npm@latest
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Run tests
-        run: npm test
-        env:
-          COLLECT_COVERAGE: "0"
+          node-version: ${{ matrix.node.version }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,43 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "lib/**.ts"
+      - ".github/workflows/codeql-analysis.yml"
+  schedule:
+    - cron: '24 2 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Static Code Analysis with CodeQL
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@41a4ada31ba866a7f1196b9602703a89edd69e22 # tag=v2.1.14
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,26 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # tag=v1.4.3
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
+      - name: Check out the source code
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Review dependencies
+        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # tag=v2
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -15,45 +15,26 @@ on:
         description: Publish to GPR?
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
-    name: Prepare the source code
+    name: Prepare source code
     runs-on: ubuntu-latest
     if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
     steps:
-      - name: Checkout source
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-        with:
-          ref: ${{ github.event.release.tag_name }}
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: 'lts/*'
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Create tarball
-        run: npm pack
-
-      - name: Save tarball
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3
-        with:
-          name: package
-          path: "*.tgz"
-          retention-days: 1
+      - name: Prepare source
+        uses: myrotvorets/composite-actions/node-prepublish@master
 
   publish:
-    name: Publish package
+    name: Publish package (${{ matrix.registry }})
     runs-on: ubuntu-latest
     needs: prepare
+    permissions:
+      contents: read
+      packages: write
+      statuses: write
     strategy:
       matrix:
         registry:
@@ -67,38 +48,9 @@ jobs:
             secret: GITHUB_TOKEN
             registry_url: https://npm.pkg.github.com/
     steps:
-      - name: Set commit status to PENDING
-        uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          status: pending
-          context: Publish to ${{ matrix.registry }}
-          sha: ${{ github.sha }}
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-
-      - name: Set up Node.js environment
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
+      - name: Publish package
+        uses: myrotvorets/composite-actions/node-publish@master
         with:
+          node-auth-token: ${{ secrets[matrix.secret] }}
           registry-url: ${{ matrix.registry_url }}
-
-      - name: Download tarball
-        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3
-        with:
-          name: package
-
-      - name: Publish package
         if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
-        run: npm publish *.tgz
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets[matrix.secret] }}
-
-      - name: Set final commit status
-        uses: myrotvorets/set-commit-status-action@74391422f441069685b0836133f6117f286debe5 # tag=1.1.5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          status: ${{ job.status }}
-          context: Publish to ${{ matrix.registry }}
-          sha: ${{ github.sha }}
-        if: always() && (github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release')
diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
@@ -3,55 +3,31 @@ name: Package Audit
 on:
   push:
     branches:
-      - master
-    paths:
-      - package.json
-      - package-lock.json
-  pull_request:
-    branches:
-      - master
+      - '**'
     paths:
       - package.json
       - package-lock.json
+      - .github/workflows/package-audit.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   audit-npm:
+    name: NPM Audit
     runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-
-      - name: Setup Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: 'lts/*'
 
-      - name: Run audit
-        run: npm audit --production
+    steps:
+      - name: Audit with NPM
+        uses: myrotvorets/composite-actions/node-package-audit@master
 
   audit-retire:
+    name: RetireJS Check
     runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-        with:
-          submodules: true
 
-      - name: Setup Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
+    steps:
+      - name: Audit with Retire.js
+        uses: myrotvorets/composite-actions/node-package-audit-retirejs@master
         with:
-          node-version: 'lts/*'
           registry-url: https://npm.pkg.github.com
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install retire.js
-        run: npm i -g retire
-
-      - name: Run audit
-        run: retire -n
diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -3,60 +3,32 @@ name: Pre-release Testing
 on:
   push:
     tags:
-      - "*"
+      - "**"
+
+permissions:
+  contents: read
 
 jobs:
   build:
     name: Build and test
     runs-on: ubuntu-latest
     steps:
-      - name: Check out the code
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-
-      - name: Set up Node.js environment
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
-        with:
-          node-version: 'lts/*'
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run postinstall scripts
-        run: npm rebuild && npm run prepare --if-present
-
-      - name: Run tests
-        run: npm test
-        env:
-          COLLECT_COVERAGE: "0"
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@master
 
   release:
     name: Prepare the release
     runs-on: ubuntu-latest
     needs: build
-
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
-      - name: Fetch tags
-        run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
-
-      - name: Get release description
-        id: release_params
-        run: |
-          SUBJECT="$(git for-each-ref "${{ github.ref }}" --format="%(contents:subject)")"
-          BODY="$(git for-each-ref "${{ github.ref }}" --format="%(contents:body)")"
-          echo "::set-output name=subject::${SUBJECT}"
-          echo "::set-output name=body::${BODY}"
-
       - name: Create a release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # renovate: tag=v1.1.4
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
+        with:
+          generate_release_notes: true
         env:
           GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ steps.release_params.subject }}
-          body: ${{ steps.release_params.body }}