Skip to content

ci(action): update github/codeql-action action to v3.27.3 #2586

ci(action): update github/codeql-action action to v3.27.3

ci(action): update github/codeql-action action to v3.27.3 #2586

Workflow file for this run

name: Test
on:
push:
branches:
- renovate/**
pull_request:
branches:
- main
- alpha
workflow_call:
secrets:
SONAR_TOKEN:
required: true
permissions:
contents: read
jobs:
# prevent duplicate checks on Renovate PRs
prevent-duplicate-checks:
runs-on: ubuntu-latest
steps:
- uses: insurgent-lab/is-in-pr-action@129df59687402c4a9c81a9a9e88d7448cdbba541 # v0.2.0
id: isInPR
outputs:
should-run: ${{ !(steps.isInPR.outputs.result == 'true' && startsWith(github.ref, 'refs/heads/renovate/')) }}
test_matrix:
strategy:
matrix:
node-version: [16, 18, 20]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
timeout-minutes: 10
needs: prevent-duplicate-checks
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
registry.npmjs.org:443
storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install packages
run: npm ci
- name: Audit npm signatures
run: npm audit signatures
- name: Check codestyle compliance
run: npm run lint
- name: Run tests
run: npm test
- name: Upload coverage report
if: strategy.job-index == 0
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: coverage-report
path: coverage/lcov.info
sonarcloud:
runs-on: ubuntu-latest
needs:
- prevent-duplicate-checks
- test_matrix
if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
permissions:
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
*.amazonaws.com:443
github.com:443
sonarcloud.io:443
*.sonarcloud.io:443
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
- name: Download coverage report
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4
with:
name: coverage-report
path: coverage/
- name: Run SonarCloud scan
uses: SonarSource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# separate job to set as required status check in branch protection
required_check:
runs-on: ubuntu-latest
needs:
- test_matrix
- sonarcloud
if: always()
steps:
- name: All required jobs and matrix versions passed
if: ${{ !(contains(needs.*.result, 'failure')) }}
run: exit 0
- name: Some required jobs or matrix versions failed
if: ${{ contains(needs.*.result, 'failure') }}
run: exit 1