-
Notifications
You must be signed in to change notification settings - Fork 356
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test: Improvements to CI Workflows (#1128)
<!-- By submitting a PR to this repository, you agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). Please see the [contributing guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md) for how to create and submit a high-quality PR for this repo. --> ### Changes This pull request updates our continuous integration workflows. It (in part) mirrors [improvements made to the Lock repository](auth0/lock#2438). #### codeql.yml - Updated `pull_request` type triggers to use a narrower scope (avoids unnecessary runs) and apply to all branches. - Updated `push` branch triggers to be more concise (uses the `v*` wildcard.) - Added concurrency check (cancels redundant in-progress runs.) - Updated to skip unnecessary runs on Dependabot PRs and re-runs on merge group queues. #### publish.yml - Fixed the `NODE_VERSION` environmental variable reference. #### semgrep.yml - Updated to skip unnecessary runs on Dependabot PRs and re-runs on merge group queues. - Updated name to use "Check for Vulnerabilities" for clarity in branch protection filters. - Added concurrency check (cancels redundant in-progress runs.) #### snyk.yml - Added workflow to trigger Snyk security checks. We previously used webhooks to trigger these checks, but this method is incompatible with GitHub's merge queue feature. This approach allows us to use the feature, as well as to autonomously run checks on a set schedule as we do in other repositories. #### test.yml - Moves the Codecov coverage upload step into the unit test step (fixes coverage not being available during the build step.) ### References Updates based on internal feedback and conversations. ### Testing This pull request applies improvements to the continuous integration testing for the repository but does not add additional tests. ### Checklist - [x] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) - [x] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) - [x] All code quality tools/guidelines have been run/followed
- Loading branch information
Showing
5 changed files
with
77 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,6 +13,9 @@ permissions: | |
contents: read | ||
packages: write | ||
|
||
env: | ||
NODE_VERSION: 18 | ||
|
||
jobs: | ||
publish-npm: | ||
name: 'NPM' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: Snyk | ||
|
||
on: | ||
merge_group: | ||
workflow_dispatch: | ||
pull_request_target: | ||
types: | ||
- opened | ||
- synchronize | ||
push: | ||
branches: | ||
- master | ||
schedule: | ||
- cron: '30 0 1,15 * *' | ||
|
||
permissions: | ||
contents: read | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | ||
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | ||
|
||
jobs: | ||
authorize: | ||
name: Authorize | ||
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: true | ||
|
||
check: | ||
needs: authorize | ||
|
||
name: Check for Vulnerabilities | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' | ||
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. | ||
|
||
- uses: actions/checkout@v3 | ||
with: | ||
ref: ${{ github.event.pull_request.head.sha || github.ref }} | ||
|
||
- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected] | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,9 +59,6 @@ jobs: | |
path: . | ||
key: ${{ env.CACHE_KEY }} | ||
|
||
- name: Upload coverage | ||
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected] | ||
|
||
unit: | ||
needs: test | ||
|
||
|
@@ -87,6 +84,9 @@ jobs: | |
- name: Run tests | ||
run: npm run test -- --maxWorkers=2 | ||
|
||
- name: Upload coverage | ||
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected] | ||
|
||
browserstack: | ||
needs: test | ||
|
||
|