Skip to content

Commit 2d7af05

Browse files
author
Evan Sims
authored
test: Migrate CI to GitHub Actions [SDK-4451] (#372)
2 parents aaabf64 + f1241b7 commit 2d7af05

File tree

8 files changed

+388
-8
lines changed

8 files changed

+388
-8
lines changed

.github/actions/build/action.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Build package
2+
description: Build the SDK package
3+
4+
inputs:
5+
node:
6+
description: The Node version to use
7+
required: false
8+
default: 18
9+
10+
runs:
11+
using: composite
12+
13+
steps:
14+
- name: Setup Node
15+
uses: actions/setup-node@v3
16+
with:
17+
node-version: ${{ inputs.node }}
18+
cache: npm
19+
20+
- name: Install dependencies
21+
shell: bash
22+
run: npm ci
23+
env:
24+
NODE_ENV: development

.github/dependabot.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: 'github-actions'
4+
directory: '/'
5+
schedule:
6+
interval: 'daily'

.github/workflows/codeql.yml

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
name: CodeQL
2+
3+
on:
4+
merge_group:
5+
pull_request:
6+
types:
7+
- opened
8+
- synchronize
9+
push:
10+
branches:
11+
- master
12+
schedule:
13+
- cron: '37 10 * * 2'
14+
15+
permissions:
16+
actions: read
17+
contents: read
18+
security-events: write
19+
20+
concurrency:
21+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
22+
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
23+
24+
jobs:
25+
analyze:
26+
name: Check for Vulnerabilities
27+
runs-on: ubuntu-latest
28+
29+
strategy:
30+
fail-fast: false
31+
matrix:
32+
language: [javascript]
33+
34+
steps:
35+
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
36+
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
37+
38+
- name: Checkout
39+
uses: actions/checkout@v4
40+
41+
- name: Initialize CodeQL
42+
uses: github/codeql-action/init@v2
43+
with:
44+
languages: ${{ matrix.language }}
45+
queries: +security-and-quality
46+
47+
- name: Autobuild
48+
uses: github/codeql-action/autobuild@v2
49+
50+
- name: Perform CodeQL Analysis
51+
uses: github/codeql-action/analyze@v2
52+
with:
53+
category: '/language:${{ matrix.language }}'

.github/workflows/matrix.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
{
2+
"include": [
3+
{ "node": "18" },
4+
{ "node": "16" },
5+
{ "node": "14" }
6+
]
7+
}

.github/workflows/publish.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
name: Publish Release
2+
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
branch:
7+
description: The branch to release from
8+
required: true
9+
default: master
10+
version:
11+
description: The version being published. This should be a valid semver version, such as `1.0.0`.
12+
required: true
13+
default: ""
14+
type: string
15+
dry-run:
16+
type: boolean
17+
description: Perform a publishing dry run. This will not publish the release, but will validate the release and log the commands that would be run.
18+
default: false
19+
20+
permissions:
21+
contents: read
22+
id-token: write # For publishing to NPM with provenance. Allows developers to run `npm audit signatures` and verify release signature of SDK. @see https://github.blog/2023-04-19-introducing-npm-package-provenance/
23+
packages: write # For cross-publishing to GitHub Packages registry.
24+
25+
env:
26+
NODE_VERSION: 18
27+
NODE_ENV: development
28+
29+
jobs:
30+
configure:
31+
name: Validate input parameters
32+
runs-on: ubuntu-latest
33+
34+
outputs:
35+
vtag: ${{ steps.vtag.outputs.vtag }} # The fully constructed release tag to use for publishing
36+
dry-run: ${{ steps.dry-run.outputs.dry-run }} # The dry-run flag to use for publishing, if applicable
37+
38+
steps:
39+
- name: Checkout repository
40+
uses: actions/checkout@v4
41+
with:
42+
fetch-depth: 0
43+
ref: ${{ github.event.inputs.branch }}
44+
45+
# Configure for dry-run, if applicable. @see https://docs.npmjs.com/cli/v9/commands/npm-publish#dry-run
46+
- id: dry-run
47+
if: ${{ github.event.inputs.dry-run == 'true' }}
48+
name: Configure for `--dry-run`
49+
run: |
50+
echo "dry-run=--dry-run" >> $GITHUB_ENV
51+
echo "dry-run=--dry-run" >> $GITHUB_OUTPUT
52+
53+
# Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
54+
- name: Build tag
55+
id: vtag
56+
run: |
57+
PACKAGE_VERSION="${{ github.event.inputs.version }}"
58+
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
59+
echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
60+
61+
# Ensure tag does not already exist.
62+
- name: Validate version
63+
uses: actions/github-script@v6
64+
env:
65+
vtag: ${{ env.vtag }}
66+
with:
67+
script: |
68+
const releaseMeta = github.rest.repos.listReleases.endpoint.merge({
69+
owner: context.repo.owner,
70+
repo: context.repo.repo,
71+
});
72+
73+
const releases = await github.paginate(releaseMeta);
74+
75+
for (const release of releases) {
76+
if (release.name === process.env.vtag) {
77+
throw new Error(`${process.env.vtag} already exists`);
78+
}
79+
}
80+
81+
console.log(`${process.env.vtag} does not exist. Proceeding with release.`)
82+
83+
publish-npm:
84+
needs: configure
85+
86+
name: Publish to NPM
87+
runs-on: ubuntu-latest
88+
environment: "release"
89+
90+
steps:
91+
- name: Checkout code
92+
uses: actions/checkout@v4
93+
with:
94+
fetch-depth: 0
95+
ref: ${{ github.event.inputs.branch }}
96+
97+
- name: Setup Node
98+
uses: actions/setup-node@v3
99+
with:
100+
node-version: ${{ env.NODE_VERSION }}
101+
cache: npm
102+
103+
- name: Install dependencies
104+
run: npm ci
105+
106+
- name: Publish release to NPM
107+
run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
108+
env:
109+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/semgrep.yml

Lines changed: 33 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,48 @@
11
name: Semgrep
22

33
on:
4-
pull_request: {}
5-
4+
merge_group:
5+
pull_request_target:
6+
types:
7+
- opened
8+
- synchronize
69
push:
7-
branches: ["master", "main"]
8-
10+
branches:
11+
- master
912
schedule:
1013
- cron: '30 0 1,15 * *'
1114

15+
permissions:
16+
contents: read
17+
18+
concurrency:
19+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
20+
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
21+
1222
jobs:
13-
semgrep:
14-
name: Scan
23+
authorize:
24+
name: Authorize
25+
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
1526
runs-on: ubuntu-latest
27+
steps:
28+
- run: true
29+
30+
run:
31+
needs: authorize # Require approval before running on forked pull requests
32+
33+
name: Check for Vulnerabilities
34+
runs-on: ubuntu-latest
35+
1636
container:
1737
image: returntocorp/semgrep
18-
if: (github.actor != 'dependabot[bot]')
38+
1939
steps:
20-
- uses: actions/checkout@v3
40+
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
41+
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
42+
43+
- uses: actions/checkout@v4
44+
with:
45+
ref: ${{ github.event.pull_request.head.sha || github.ref }}
2146

2247
- run: semgrep ci
2348
env:

.github/workflows/snyk.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: Snyk
2+
3+
on:
4+
merge_group:
5+
workflow_dispatch:
6+
pull_request_target:
7+
types:
8+
- opened
9+
- synchronize
10+
push:
11+
branches:
12+
- master
13+
schedule:
14+
- cron: '30 0 1,15 * *'
15+
16+
permissions:
17+
contents: read
18+
19+
concurrency:
20+
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
21+
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
22+
23+
jobs:
24+
authorize:
25+
name: Authorize
26+
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
27+
runs-on: ubuntu-latest
28+
steps:
29+
- run: true
30+
31+
check:
32+
needs: authorize
33+
34+
name: Check for Vulnerabilities
35+
runs-on: ubuntu-latest
36+
37+
steps:
38+
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
39+
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
40+
41+
- uses: actions/checkout@v4
42+
with:
43+
ref: ${{ github.event.pull_request.head.sha || github.ref }}
44+
45+
- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
46+
env:
47+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

0 commit comments

Comments
 (0)