chaynHQ · kyleecodes · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025
diff --git a/.github/configs/labeler.yml b/.github/configs/labeler.yml
@@ -0,0 +1,22 @@
+needs-file-review:
+  - cypress/**
+  - cypress-after.config.ts
+  - cypress.config.ts
+  - scripts/**
+  - bin/**
+  - "*.sh"
+  - "*.py"
+  - "**/*.json"
+  - "**/*.lock"
+  - "**/*.yaml"
+  - "**/*.yml"
+  - .vscode/**
+  - .husky/**
+  - .gitignore
+  - .nycrc
+  - next.config.js
+  - middleware.ts
+  - next-env.d.ts
+  - jest.config.js
+  - .prettierrc
+  - .github/**
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,19 +3,27 @@
 
 version: 2
 updates:
-  - package-ecosystem: 'npm' # same value for yarn
-    directory: '/' # Location of package manifests
+  - package-ecosystem: "npm" # same value for yarn
+    directory: "/" # Location of package manifests
     schedule:
-      interval: 'weekly'
-      time: '09:00'
-      timezone: 'Europe/London'
+      interval: "weekly"
+      time: "09:00"
+      timezone: "Europe/London"
+    assignees:
+      - "kyleecodes"
+    reviewers:
+      - "kyleecodes"
 
   # Maintain dependencies for GitHub Actions
-  - package-ecosystem: 'github-actions'
+  - package-ecosystem: "github-actions"
     # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`.
     # You can use `directory: "/"`.)
-    directory: '/'
+    directory: "/"
     schedule:
-      interval: 'weekly'
-      time: '09:00'
-      timezone: 'Europe/London'
+      interval: "weekly"
+      time: "09:00"
+      timezone: "Europe/London"
+    assignees:
+      - "kyleecodes"
+    reviewers:
+      - "kyleecodes"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -7,12 +7,10 @@
 ### How did you find us? (GitHub, Google search, social media, etc.):
 
 <!---ABOUT RUNNING TESTS :->
-- Directions for running tests are in the README.md.
-- Tests are not required to pass. 
+- Directions in the /docs
 - Run unit tests
 - Run Cypress tests if required for contribution.
-- Some tests may require multiple runs before success.
-- Some test failures may not be due to your contribution and can be ignored. We are always upgrading testing performance.
+- Tests are not required to pass. 
 
 <!--- PR CHECKLIST: —>
 Before submitting, check that you have completed the following tasks:

diff --git a/.github/workflows/build-and-test-forks.yml b/.github/workflows/build-and-test-forks.yml
@@ -0,0 +1,86 @@
+name: Build & Test Forked PRs
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  verify-labels:
+    runs-on: ubuntu-24.04
+    outputs:
+      should_run_tests: ${{ steps.check-label.outputs.should_run_tests }}
+    steps:
+      - name: Check PR Labels
+        id: check-label
+        run: |
+          labels=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels" | jq -r '.[].name')
+
+          if echo "$labels" | grep -q "needs-file-review"; then
+            echo "Sensitive files modified. Stopping workflow."
+            echo "should_run_tests=false" >> $GITHUB_ENV
+            exit 1
+          else
+            echo "No sensitive files detected or labels are missing. Proceeding with tests."
+            echo "should_run_tests=true" >> $GITHUB_ENV
+
+      - name: Comment on PR if review is required
+        if: env.should_run_tests == 'false'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: "This PR modifies sensitive files. A maintainer must review and remove the 'needs-file-review' label before tests can proceed."
+            });
+              core.setFailed("Sensitive files changed. Review required.")
+
+  build-and-test:
+    needs: verify-labels
+    if: needs.verify-labels.outputs.should_run_tests == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout PR Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+      - name: Cache node_modules
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
+        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+      - name: Use NodeJs
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
+        with:
+          node-version: "20.x"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile --non-interactive
+
+      - name: Run linting
+        run: yarn lint
+
+      - name: Run type checks
+        run: yarn type-check
+        continue-on-error: true
+
+      - name: Build app
+        run: yarn build
+        env:
+          NEXT_PUBLIC_ROLLBAR_ENV: CI
+          NEXT_PUBLIC_FIREBASE_API_KEY: ${{ secrets.NEXT_PUBLIC_FIREBASE_API_KEY }}
+          NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN: ${{ secrets.NEXT_PUBLIC_ROLLBAR_CLIENT_TOKEN }}
+          NEXT_PUBLIC_STORYBLOK_TOKEN: ${{ secrets.NEXT_PUBLIC_STORYBLOK_TOKEN }}
+          NEW_RELIC_APP_NAME: ${{ secrets.NEW_RELIC_APP_NAME }}
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
+      - name: Test app
+        run: yarn test
diff --git a/.github/workflows/build-and-test-prs.yml b/.github/workflows/build-and-test-prs.yml
@@ -1,4 +1,4 @@
-name: Build & test
+name: Build & Test PRs
 
 on:
   pull_request:
@@ -7,24 +7,43 @@ on:
     branches: [develop]
 
 jobs:
+  security-check: # exits as failure if forked pr, before the build steps
+    runs-on: ubuntu-24.04
+    if: github.event.workflow_run.event == 'pull_request' # job only runs on PRs, not pushes to develop
+    outputs:
+      is_internal: ${{ steps.check_fork.outputs.is_internal }}
+    steps:
+      - name: Check if PR is from a Fork
+        id: check_fork
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            echo "This PR is from a fork and cannot proceed."
+            echo "is_internal=false" >> $GITHUB_ENV
+            exit 1
+          else
+            echo "is_internal=true" >> $GITHUB_ENV
+          fi
+
   build-and-test:
+    needs: security-check
+    if: needs.security-check.outputs.is_internal == 'true'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "::set-output name=dir::$(yarn cache dir)"
       - name: Cache node_modules
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
         with:
           path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
           key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-yarn-
       - name: Use NodeJs
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
         with:
           node-version: '20.x'
 
@@ -49,3 +68,4 @@ jobs:
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
       - name: Test app
         run: yarn test
+
diff --git a/.github/workflows/community-label-forked-prs.yml b/.github/workflows/community-label-forked-prs.yml
@@ -0,0 +1,35 @@
+name: Prescan to Label Forked PRs
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  check-fork:
+    runs-on: ubuntu-24.04
+    outputs:
+      is_fork: ${{ steps.check_fork.outputs.is_fork }}
+    steps:
+      - name: Determine if PR is from a Fork
+        id: check_fork
+        run: |
+          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            echo "PR is from a fork. Proceeding with workflow."
+            echo "is_fork=true" >> $GITHUB_ENV
+            echo "::set-output name=is_fork::true"
+          else
+            echo "PR is internal. Skipping workflow."
+            echo "is_fork=false" >> $GITHUB_ENV
+            echo "::set-output name=is_fork::false"
+            exit 1
+
+  label-sensitive-files:
+    needs: check-fork
+    if: needs.check-fork.outputs.is_fork == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Label PR for Sensitive Files
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          configuration-path: .github/configs/labeler.yml