github actions reorganised

davolokh · davolokh · commit 08b5c4f07e59 · 2025-03-16T15:41:50.000+01:00
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
@@ -0,0 +1,24 @@
+name: 'Setup Action'
+description: 'Checkouts the repo, sets up node, and installs dependencies'
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout Repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+    - name: Set up Node.js
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v2
+      with:
+        node-version: '18.0'
+
+    - name: Cache dependencies
+      id: cache
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: ./node_modules
+        key: modules-${{ hashFiles('package-lock.json') }}
+
+    - name: Install dependencies
+      if: steps.cache.outputs.cache-hit != 'true'
+      run: 'npm ci'
+      shell: bash
diff --git a/.github/workflows/_security-checks.yml b/.github/workflows/_security-checks.yml
@@ -0,0 +1,35 @@
+name: Security Checks
+on:
+  workflow_call:
+permissions:
+  contents: read    
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          exit-code: '1'
+          ignore-unfixed: 'true'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+  npm-audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run npm audit
+        run: npm audit --omit=dev --audit-level=moderate
diff --git a/.github/workflows/_static-checks.yml b/.github/workflows/_static-checks.yml
@@ -0,0 +1,46 @@
+name: Static Checks
+on:
+  workflow_call:
+permissions:
+      contents: read
+jobs:
+  lint:
+    name: ESLint Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run linter
+        run: npm run lint
+
+  tsc:
+    name: TS Types Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run Tsc
+        run: npm run type-check
+
+  build:
+    name: Build App Check
+    runs-on: ubuntu-latest
+    env:
+      NODE_OPTIONS: "--max_old_space_size=4096"
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Build App
+        run: npm run build
diff --git a/.github/workflows/_unit-tests.yml b/.github/workflows/_unit-tests.yml
@@ -0,0 +1,22 @@
+name: Unit Tests
+permissions:
+  contents: write
+on:
+  workflow_call:
+jobs:
+  tests:
+    name: Jest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Build 
+        run: npm run build
+    
+      - name: Run tests
+        run: npm run test
+
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
@@ -0,0 +1,18 @@
+name: On PR
+permissions: write-all
+on:
+  pull_request:
+jobs:
+  security:
+    name: Security Checks
+    uses: ./.github/workflows/_security-checks.yml
+
+  static-checks:
+    name: Static Checks
+    uses: ./.github/workflows/_static-checks.yml
+    secrets: inherit
+
+  unit-tests:
+    name: Unit Tests
+    uses: ./.github/workflows/_unit-tests.yml
+    secrets: inherit
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -0,0 +1,23 @@
+name: On Release
+permissions: write-all
+on:
+  release:
+    types: [published]
+jobs:
+  release:
+    name: Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Publish
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+
+          
diff --git a/package.json b/package.json
@@ -39,6 +39,9 @@
     "build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
     "build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
     "prepack": "npm run build:esm && npm run build:cjs",
+    "type-check": "npm run type-check:esm && npm run type-check:cjs",
+    "type-check:esm": "tsc --noEmit -p ./tsconfig.prod.json",
+    "type-check:cjs": "tsc --noEmit -p ./tsconfig.cjs.json",
     "lint": "eslint src/",
     "test": "jest",
     "start": "npm run server",
