chore(deps): update github/codeql-action action to v2.27.1 #3178
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: [push] | |
| jobs: | |
| # -- TESTS ------------------------------------------------------------------ | |
| tests: | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node: ['18'] | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| objects.githubusercontent.com:443 | |
| registry.npmjs.org:443 | |
| nodejs.org:443 | |
| snyk.io:443 | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| check-latest: true | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Copy Playlists & Inventory examples | |
| run: | | |
| cp -R src/examples/playlists config/playlists | |
| cp src/examples/inventory.json config/inventory.json | |
| - name: Run Unit-Tests + Code Coverage | |
| run: npm run test:coverage | |
| - name: Save Code Coverage | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: code-coverage | |
| path: coverage | |
| # -- SONARCLOUD ------------------------------------------------------------- | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| sonarcloud.io:443 | |
| scanner.sonarcloud.io:443 | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Download Code Coverage | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: code-coverage | |
| path: coverage | |
| - name: Get App Version | |
| run: ./scripts/version.sh | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| # functional-tests: | |
| # runs-on: ubuntu-latest | |
| # needs: tests | |
| # steps: | |
| # - name: Harden GitHub Actions Runner | |
| # uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e88 | |
| # with: | |
| # egress-policy: audit | |
| # - name: Checkout | |
| # uses: actions/checkout@v2 | |
| # - name: Build docker image | |
| # run: docker build -t timoa/chrome-tab-rotate-server . | |
| # - name: Start Docker container | |
| # run: docker-compose up -d | |
| # - name: Check Docker container status | |
| # run: docker ps -a | |
| # - name: Install dependencies | |
| # run: npm install | |
| # - name: Run Functional tests | |
| # run: npm run test:functional | |
| # - name: Stop Docker container | |
| # run: docker-compose down | |
| # -- SAST SCAN -------------------------------------------------------------- | |
| code-security: | |
| name: Code Security | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| pipelines.actions.githubusercontent.com:443 | |
| registry.npmjs.org:443 | |
| pypi.org:443 | |
| osv-vulnerabilities.storage.googleapis.com:443 | |
| nvd.nist.gov:443 | |
| docker.io:443 | |
| registry-1.docker.io:443 | |
| auth.docker.io:443 | |
| production.cloudflare.docker.com:443 | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Perform Scan | |
| uses: ShiftLeftSecurity/scan-action@master | |
| env: | |
| WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SCAN_ANNOTATE_PR: true | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: reports | |
| path: reports | |
| # -- API TESTS -------------------------------------------------------------- | |
| api-tests: | |
| name: API Tests | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| strategy: | |
| matrix: | |
| node: ['18'] | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| check-latest: true | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Copy Playlists & Inventory examples | |
| run: | | |
| cp -R src/examples/playlists config/playlists | |
| cp src/examples/inventory.json config/inventory.json | |
| - name: Install Postman Newman | |
| run: npm install newman | |
| - name: Start the app | |
| run: npm start > /dev/null & | |
| - name: Run Postman Newman | |
| run: node_modules/.bin/newman run https://api.getpostman.com/collections/${{ secrets.POSTMAN_COLLECTION }}?apikey=${{ secrets.POSTMAN_API_TOKEN }} -e https://api.getpostman.com/environments/${{ secrets.POSTMAN_ENVIRONMENT }}?apikey=${{ secrets.POSTMAN_API_TOKEN }} | |
| # -- ZAP Scan --------------------------------------------------------------- | |
| api-security: | |
| name: API Security | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| strategy: | |
| matrix: | |
| node: ['18'] | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| check-latest: true | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Copy Playlists & Inventory examples | |
| run: | | |
| cp -R src/examples/playlists config/playlists | |
| cp src/examples/inventory.json config/inventory.json | |
| - name: Start the app | |
| run: npm start > /dev/null & | |
| - name: Run ZAP Scan | |
| uses: zaproxy/action-full-scan@d2a07475d467566c9a3e3c700f31f47724aa1060 # v0.10.0 | |
| with: | |
| target: http://localhost:9000 | |
| # -- PRE-RELEASE ------------------------------------------------------------ | |
| pre-release: | |
| name: Prepare Release | |
| runs-on: ubuntu-latest | |
| needs: | |
| - code-quality | |
| - code-security | |
| - api-security | |
| if: github.ref == 'refs/heads/master' | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Semantic Release | |
| uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # -- BUILD ------------------------------------------------------------------ | |
| build: | |
| name: Build & Release | |
| runs-on: ubuntu-latest | |
| needs: pre-release | |
| if: github.ref == 'refs/heads/master' | |
| steps: | |
| - name: Harden GitHub Actions Runner | |
| uses: step-security/harden-runner@951b48540b429070694bc8abd82fd6901eb123ca | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 | |
| with: | |
| images: ${{ github.repository }} | |
| tags: | | |
| type=ref,event=branch | |
| type=match,pattern=v(.*),group=1 | |
| type=raw,value=latest | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push | |
| uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} |