test: Migrate CI to GitHub Actions [SDK-4451] (#372)

Author: Evan Sims

.github/actions/build/action.yml

@@ -0,0 +1,24 @@
+name: Build package
+description: Build the SDK package
+
+inputs:
+  node:
+    description: The Node version to use
+    required: false
+    default: 18
+
+runs:
+  using: composite
+
+  steps:
+    - name: Setup Node
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ inputs.node }}
+        cache: npm
+
+    - name: Install dependencies
+      shell: bash
+      run: npm ci
+      env:
+        NODE_ENV: development

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'

.github/workflows/codeql.yml

@@ -0,0 +1,53 @@
+name: CodeQL
+
+on:
+  merge_group:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '37 10 * * 2'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  analyze:
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript]
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/matrix.json

@@ -0,0 +1,7 @@
+{
+  "include": [
+    { "node": "18" },
+    { "node": "16" },
+    { "node": "14" }
+  ]
+}

.github/workflows/publish.yml

@@ -0,0 +1,109 @@
+name: Publish Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: The branch to release from
+        required: true
+        default: master
+      version:
+        description: The version being published. This should be a valid semver version, such as `1.0.0`.
+        required: true
+        default: ""
+        type: string
+      dry-run:
+        type: boolean
+        description: Perform a publishing dry run. This will not publish the release, but will validate the release and log the commands that would be run.
+        default: false
+
+permissions:
+  contents: read
+  id-token: write # For publishing to NPM with provenance. Allows developers to run `npm audit signatures` and verify release signature of SDK. @see https://github.blog/2023-04-19-introducing-npm-package-provenance/
+  packages: write # For cross-publishing to GitHub Packages registry.
+
+env:
+  NODE_VERSION: 18
+  NODE_ENV: development
+
+jobs:
+  configure:
+    name: Validate input parameters
+    runs-on: ubuntu-latest
+
+    outputs:
+      vtag: ${{ steps.vtag.outputs.vtag }} # The fully constructed release tag to use for publishing
+      dry-run: ${{ steps.dry-run.outputs.dry-run }} # The dry-run flag to use for publishing, if applicable
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
+      # Configure for dry-run, if applicable. @see https://docs.npmjs.com/cli/v9/commands/npm-publish#dry-run
+      - id: dry-run
+        if: ${{ github.event.inputs.dry-run == 'true' }}
+        name: Configure for `--dry-run`
+        run: |
+          echo "dry-run=--dry-run" >> $GITHUB_ENV
+          echo "dry-run=--dry-run" >> $GITHUB_OUTPUT
+
+      # Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
+      - name: Build tag
+        id: vtag
+        run: |
+          PACKAGE_VERSION="${{ github.event.inputs.version }}"
+          echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
+          echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
+
+      # Ensure tag does not already exist.
+      - name: Validate version
+        uses: actions/github-script@v6
+        env:
+          vtag: ${{ env.vtag }}
+        with:
+          script: |
+            const releaseMeta = github.rest.repos.listReleases.endpoint.merge({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+
+            const releases = await github.paginate(releaseMeta);
+
+            for (const release of releases) {
+              if (release.name === process.env.vtag) {
+                throw new Error(`${process.env.vtag} already exists`);
+              }
+            }
+
+            console.log(`${process.env.vtag} does not exist. Proceeding with release.`)
+
+  publish-npm:
+    needs: configure
+
+    name: Publish to NPM
+    runs-on: ubuntu-latest
+    environment: "release"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish release to NPM
+        run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/semgrep.yml

@@ -1,23 +1,48 @@
 name: Semgrep
 
 on:
-  pull_request: {}
-
+  merge_group:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   push:
-    branches: ["master", "main"]
-
+    branches:
+      - master
   schedule:
     - cron: '30 0 1,15 * *'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
-  semgrep:
-    name: Scan
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
     container:
       image: returntocorp/semgrep
-    if: (github.actor != 'dependabot[bot]')
+
     steps:
-      - uses: actions/checkout@v3
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - run: semgrep ci
         env:

.github/workflows/snyk.yml

@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  check:
+    needs: authorize
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}