test: Improvements to CI Workflows (#1128)

<!-- By submitting a PR to this repository, you agree to the terms
within the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
Please see the [contributing
guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md)
for how to create and submit a high-quality PR for this repo. -->

### Changes

This pull request updates our continuous integration workflows. It (in
part) mirrors [improvements made to the Lock
repository](auth0/lock#2438).

#### codeql.yml

- Updated `pull_request` type triggers to use a narrower scope (avoids
unnecessary runs) and apply to all branches.
- Updated `push` branch triggers to be more concise (uses the `v*`
wildcard.)
- Added concurrency check (cancels redundant in-progress runs.)
- Updated to skip unnecessary runs on Dependabot PRs and re-runs on
merge group queues.

#### publish.yml

- Fixed the `NODE_VERSION` environmental variable reference.

#### semgrep.yml

- Updated to skip unnecessary runs on Dependabot PRs and re-runs on
merge group queues.
- Updated name to use "Check for Vulnerabilities" for clarity in branch
protection filters.
- Added concurrency check (cancels redundant in-progress runs.)

#### snyk.yml

- Added workflow to trigger Snyk security checks.
We previously used webhooks to trigger these checks, but this method is
incompatible with GitHub's merge queue feature. This approach allows us
to use the feature, as well as to autonomously run checks on a set
schedule as we do in other repositories.

#### test.yml

- Moves the Codecov coverage upload step into the unit test step (fixes
coverage not being available during the build step.)

### References

Updates based on internal feedback and conversations.

### Testing

This pull request applies improvements to the continuous integration
testing for the repository but does not add additional tests.

### Checklist

- [x] I have read the [Auth0 general contribution
guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
- [x] I have read the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
- [x] All code quality tools/guidelines have been run/followed

.github/workflows/codeql.yml

@@ -2,10 +2,15 @@ name: CodeQL
 
 on:
   merge_group:
-  push:
-    branches: ['master', 'beta', 'v1']
   pull_request:
-    branches: ['master']
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+      - beta
+      - v*
   schedule:
     - cron: '56 12 * * 1'
 
@@ -14,6 +19,10 @@ permissions:
   contents: read
   security-events: write
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
   analyze:
     name: Analyze
@@ -25,6 +34,9 @@ jobs:
         language: [javascript]
 
     steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
       - name: Checkout
         uses: actions/checkout@v3
 

.github/workflows/publish.yml

@@ -13,6 +13,9 @@ permissions:
   contents: read
   packages: write
 
+env:
+  NODE_VERSION: 18
+
 jobs:
   publish-npm:
     name: 'NPM'

.github/workflows/semgrep.yml

@@ -15,25 +15,31 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   run:
-    if: (github.actor != 'dependabot[bot]')
     needs: authorize # Require approval before running on forked pull requests
 
-    name: Run
+    name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
     container:
       image: returntocorp/semgrep
 
     steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}

.github/workflows/snyk.yml

@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  check:
+    needs: authorize
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/test.yml

@@ -59,9 +59,6 @@ jobs:
           path: .
           key: ${{ env.CACHE_KEY }}
 
-      - name: Upload coverage
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]
-
   unit:
     needs: test
 
@@ -87,6 +84,9 @@ jobs:
       - name: Run tests
         run: npm run test -- --maxWorkers=2
 
+      - name: Upload coverage
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]
+
   browserstack:
     needs: test