Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: align CI config #544

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 67 additions & 20 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
# The branches below must be a subset of the branches above
branches: [master]

permissions: {}

jobs:
build:
runs-on: ubuntu-22.04
Expand All @@ -16,53 +18,98 @@ jobs:
strategy:
matrix:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
node-version: [18, 20]
node-version:
- 18
- 20
- 21
steps:
- uses: actions/checkout@v4
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version: ${{ matrix.node-version }}
- uses: ankane/setup-mysql@v1
- uses: ankane/setup-mysql@0066c6761a230df8a1ce7f26f3f434c7f3405ae7 # v1
with:
mysql-version: 8.0
- run: |
sudo mysql -e "CREATE USER '$MYSQL_USER'@'localhost' IDENTIFIED BY '$MYSQL_PASSWORD'"
sudo mysql -u root -e "GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'localhost'"
sudo mysql -u root -e "ALTER USER '$MYSQL_USER'@'localhost' IDENTIFIED WITH mysql_native_password by '$MYSQL_PASSWORD'"
sudo mysql -u root -e "FLUSH PRIVILEGES"
- run: npm install
- run: npm test
cat <<EOF | mysql --user=root
CREATE USER
'$MYSQL_USER'@'localhost'
IDENTIFIED BY '$MYSQL_PASSWORD';

GRANT ALL PRIVILEGES
ON *.*
TO '$MYSQL_USER'@'localhost';

ALTER USER
'$MYSQL_USER'@'localhost'
IDENTIFIED WITH mysql_native_password
BY '$MYSQL_PASSWORD';

FLUSH PRIVILEGES;
EOF
- run: |
npm ci \
--ignore-scripts \
--prefer-offline
- run: npm test --ignore-scripts
code-lint:
name: Code Lint
runs-on: ubuntu-latest
timeout-minutes: 60
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Use Node.js 18
uses: actions/setup-node@v4
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version: 18
- name: Bootstrap project
run: |
npm ci --ignore-scripts
npm ci \
--ignore-scripts \
--prefer-offline
- name: Verify code linting
run: npm run lint
run: |
npm run \
--ignore-script \
lint

commit-lint:
name: Commit Lint
runs-on: ubuntu-latest
timeout-minutes: 60
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Use Node.js 18
uses: actions/setup-node@v4
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version: 18
- name: Bootstrap project
run: |
npm ci --ignore-scripts
npm ci \
--ignore-scripts \
--prefer-offline
- name: Verify commit linting
run: npx commitlint --from origin/master --to HEAD --verbose
run: |
npm exec \
--package=@commitlint/cli \
-- \
commitlint \
--from=origin/master \
--to=HEAD \
--verbose

78 changes: 78 additions & 0 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Based on `scorecard.yml` Github Actions starter workflow:
# https://github.com/actions/starter-workflows/blob/b1df8a546ed4d0f27d46aaf2f8ac1118bc522638/code-scanning/scorecard.yml

# This is separate from the CI workflow due to certain restrictions imposed by the GitHub Action action:
# https://github.com/ossf/scorecard-action/tree/99cc02c8ee27bab5f5f41e79066e0de91d313dec#workflow-restrictions
# For consistency, we should keep it a separate workflow across all our Github repositories, regardless if it's actually needed.

name: OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule: {}
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '30 6 * * 5'
push:
branches: [master]

# Declare default permissions as read only.
# permissions: read-all
permissions: {}

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write

steps:
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: OSSF Scorecard SARIF file
path: results.sarif
retention-days: 90

# Upload the results to GitHub's code scanning dashboard.
- uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
with:
sarif_file: results.sarif
Loading
Loading