Skip to content

Commit

Permalink
ci: add gh actions pipeline
Browse files Browse the repository at this point in the history
  • Loading branch information
@antongolub
antongolub committed Dec 29, 2024
1 parent 26b2cbd commit 740032a
Show file tree
Hide file tree
Showing 4 changed files with 320 additions and 0 deletions.
108 changes: 108 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# This is a Github Workflow that runs tests on any push or pull request.
# If the tests pass and this is a push to the master branch it also runs Semantic Release.
name: CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Use Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: 'npm'
- run: npm ci
- run: npm run build
- uses: actions/upload-artifact@v4
with:
name: build
path: |
target
package.json
jsr.json
retention-days: 1

push:
name: Push ${{ github.ref }}
needs: build
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
checks: read
statuses: write
contents: write
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: ${{ github.ref == 'refs/heads/main' && '0' || '1' }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'
- uses: actions/download-artifact@v4
with:
name: build
- name: Fetch deps
run: npm ci
- name: Run tests
run: npm run test

# - name: Codeclimate
# if: github.ref == 'refs/heads/main'
# uses: paambaati/[email protected]
# env:
# CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
# with:
# coverageLocations: |
# ${{github.workspace}}/target/coverage/lcov.info:lcov

- name: Semantic Release (npm)
if: github.ref == 'refs/heads/main'
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_PROVENANCE: true
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_BRANCH: 'main'
GIT_AUTHOR_NAME: ${{ secrets.GIT_AUTHOR_NAME }}
GIT_AUTHOR_EMAIL: ${{ secrets.GIT_AUTHOR_EMAIL }}
GIT_COMMITTER_NAME: ${{ secrets.GIT_COMMITTER_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.GIT_COMMITTER_EMAIL }}
run: echo 'disabled' && exit 0 # npx zx-semrel

pr:
if: github.event_name == 'pull_request'
needs: build
name: PR (Node v${{ matrix.node-version }}, OS ${{ matrix.os }})
strategy:
matrix:
os: [ ubuntu-latest, windows-latest ]
node-version: [ 22 ]

runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- uses: actions/download-artifact@v4
with:
name: build
- name: Fetch deps
run: npm ci
- name: Run all tests
if: matrix.os == 'ubuntu-latest' && matrix.node-version == 22
run: npm run test
timeout-minutes: 1

- name: Run units
if: matrix.os != 'ubuntu-latest' && matrix.node-version != 22
run: npm run test:unit
timeout-minutes: 1
92 changes: 92 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '17 20 * * 0'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: 'ubuntu-latest'
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
# CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
72 changes: 72 additions & 0 deletions .github/workflows/npm-publish-from-pr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: npm publish from PR

on:
workflow_dispatch:
inputs:
repo:
description: 'source gh repo, like `google/zx`'
required: true
commit:
description: 'commit id'
required: true

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Use Node.js 22
uses: actions/setup-node@v4
with:
node-version: 22

- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.event.inputs.repo }}
ref: ${{ github.event.inputs.commit }}

- name: Build
run: |
npm ci
npm run build
- uses: actions/upload-artifact@v4
with:
name: build-pr-${{ github.run_id }}
path: |
target
package.json
README.md
jsr.json
retention-days: 1

publish:
needs: build
runs-on: ubuntu-latest
permissions:
checks: read
statuses: write
contents: write
packages: write
id-token: write
steps:
- uses: actions/setup-node@v4
with:
node-version: 22
- uses: actions/download-artifact@v4
with:
name: build-pr-${{ github.run_id }}

- run: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Notice
if: github.event.inputs.repo != github.repository
run: node -e "const fs = require('fs'); fs.writeFileSync('./README.md', process.env.NOTICE + fs.readFileSync('./README.md'))"
env:
NOTICE: "> ⚠<fe0f> **This snapshot was built from the external source** \n> repo: ${{ github.event.inputs.repo }} \n> commit: ${{ github.event.inputs.commit }}\n"

- run: |
npm version $(node --eval="process.stdout.write(require('./package.json').version)")-pr.${{ github.run_id }} --no-git-tag-version
npm publish --provenance --access=public --no-git-tag-version --tag pr
48 changes: 48 additions & 0 deletions .github/workflows/osv-scanner.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
# in addition to a PR check which fails if new vulnerabilities are introduced.
#
# For more examples and options, including how to ignore specific vulnerabilities,
# see https://google.github.io/osv-scanner/github-action/

name: OSV-Scanner

on:
pull_request:
branches: [ "main" ]
merge_group:
branches: [ "main" ]
schedule:
- cron: '29 14 * * 1'
push:
branches: [ "main" ]

permissions:
# Require writing security events to upload SARIF file to security tab
security-events: write
# Read commit contents
contents: read

jobs:
scan-scheduled:
if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
--skip-git
./
scan-pr:
if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
with:
# Example of specifying custom arguments
scan-args: |-
-r
--skip-git
./

0 comments on commit 740032a

Please sign in to comment.