Update GitHub workflows

.github/workflows/codeql.yml

@@ -1,26 +1,28 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
+  merge_group:
   push:
-    branches: [ "master", "v6", "v7", "v8", "v9-optional-signup-username", "v9", "v10" ]
+    branches: ['master', 'v6', 'v7', 'v8', 'v9-optional-signup-username', 'v9', 'v10']
   pull_request:
-    branches: [ "master" ]
+    branches: ['master']
   schedule:
-    - cron: "11 10 * * 4"
+    - cron: '11 10 * * 4'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ javascript ]
+        language: [javascript]
 
     steps:
       - name: Checkout
@@ -38,4 +40,4 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
         with:
-          category: "/language:${{ matrix.language }}"
+          category: '/language:${{ matrix.language }}'

.github/workflows/semgrep.yml

@@ -1,24 +1,42 @@
 name: Semgrep
 
 on:
-  pull_request: {}
-
+  merge_group:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   push:
-    branches: ["master", "main"]
-
+    branches:
+      - master
   schedule:
     - cron: '30 0 1,15 * *'
 
+permissions:
+  contents: read
+
 jobs:
-  semgrep:
-    name: Scan
+  authorize:
+    name: Authorize
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    if: (github.actor != 'dependabot[bot]')
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Run
+    runs-on: ubuntu-latest
+
     container:
       image: returntocorp/semgrep
-    # Skip any PR created by dependabot to avoid permission issues
-    if: (github.actor != 'dependabot[bot]')
+
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - run: semgrep ci
         env:

.github/workflows/test.yml

@@ -0,0 +1,60 @@
+name: Build and Test
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Run
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build package
+        run: npm run build
+
+      - name: Run `es-check`
+        run: npm run test:es-check
+
+      - name: Run `i18n:validate`
+        run: npm run i18n:validate
+
+      - name: Run Jest unit tests
+        run: npm run test
+
+      - name: Run Karma end-to-end tests
+        run: npm run test:e2e
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]

.gitignore

@@ -9,6 +9,4 @@ npm-debug.log
 .idea/
 .env
 local.log
-yarn-error.log
 build/
-.yarn/

DEVELOPMENT.md

@@ -2,7 +2,6 @@
 
 Requires:
 
-- [Yarn](https://yarnpkg.com/)
 - [Node LTS](https://nodejs.org)
 
 ## Building
@@ -12,39 +11,39 @@ The SDK uses [Webpack](https://webpack.js.org/) to compile all JavaScript assets
 To perform a build, use the `build` script:
 
 ```
-yarn build
+npm run build
 ```
 
 ## Running Tests
 
 Unit tests can be executed using [Jest](https://jestjs.io/) by issuing the following command:
 
 ```
-yarn test
+npm run test
 ```
 
 To interactively perform tests using Jest's `watch` mode, use:
 
 ```
-yarn test:watch
+npm run test:watch
 ```
 
 End-to-end tests can be executed locally using [Karma](https://karma-runner.github.io/), in both watch and CLI mode:
 
 ```
 # CLI mode using Chrome Headless browser:
-yarn test:e2e
+npm run test:e2e
 
 # Watch mode using Chrome desktop browser, in watch mode:
-yarn test:e2e:watch
+npm run test:e2e:watch
 ```
 
 ## The SDK Playground
 
 To test the SDK manually and play around with the various options and features, you can invoke the Playground by using:
 
 ```
-yarn start
+npm start
 ```
 
 Next, open `https://localhost:3000/support`, which will display a simple web app that allows you to interact with Auth0 to test functionality. The HTML template in `support/index.html` can be modified to test various different pieces of functionality.
@@ -59,7 +58,7 @@ You can then use another SPA app to log in using this tenant that has this custo
 
 You may need to run Lock using HTTPS with a valid certificate if you want to do this testing in Safari, as Safari will not load mixed content pages, and will also not load HTTPS with untrusted testing certificates.
 
-Lock can already support HTTPS just by running `yarn start` if you have `mkcert` installed.
+Lock can already support HTTPS just by running `npm start` if you have `mkcert` installed.
 
 To install `mkcert`:
 
@@ -71,9 +70,9 @@ brew install nss # if you use Firefox
 mkcert install
 
 # Serve lock
-yarn start
+npm start
 ```
 
 Once Lock has started, use another SPA app to log in using a tenant with the template customized as above.
 
-If you don't have `mkcert`, HTTPS will still be used but it will be untrusted.
+If you don't have `mkcert`, HTTPS will still be used but it will be untrusted.