ci: init

Signed-off-by: Jakub Mucha <[email protected]>
Synthetixio · Nov 18, 2020 · a33e6c1 · a33e6c1
1 parent a136b5d
commit a33e6c1
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    target-branch: "dev"
+    allow:
+      - dependency-name: "cypress"
+        dependency-type: "production"
+    labels:
+      - "npm"
+      - "dependencies"
+    pull-request-branch-name:
+      separator: "-"
diff --git a/.github/workflows/audit_and_lint.yml b/.github/workflows/audit_and_lint.yml
@@ -0,0 +1,72 @@
+name: Synpress CI
+
+on:
+  push:
+  pull_request:
+    branches: [master, dev]
+
+jobs:
+  audit:
+    # run only on master/dev branch and pull requests
+    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+
+    container:
+      image: ghcr.io/synthetixio/docker-sec-tools/base:12.19
+      credentials:
+        username: synthetixio
+        password: ${{ secrets.GH_PACKAGES_READ_ONLY }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@ee5a9d1395988d7c82c67c69571871f5994b94df # pin@v2
+
+    - name: Audit dependencies
+      run: audit-ci --critical --report-type important
+
+    - name: Lockfile lint
+      run: lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+https:" "github:" "git+ssh:"
+
+  build:
+    needs: audit
+    # run only on audit success or audit skipped
+    if: always() && (needs.audit.result == 'success' || needs.audit.result == 'skipped')
+    runs-on: ubuntu-latest
+
+    container:
+      image: ghcr.io/synthetixio/docker-node/alpine:12.19
+      credentials:
+        username: synthetixio
+        password: ${{ secrets.GH_PACKAGES_READ_ONLY }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@ee5a9d1395988d7c82c67c69571871f5994b94df # pin@v2
+
+    - name: Cache node modules
+      uses: actions/cache@3b70782066bd817837b6bd8c518d45b54d91bf76 # pin@v2
+      with:
+        path: |
+          .npm
+          node_modules
+        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-
+          ${{ runner.os }}-
+      continue-on-error: true
+
+    - name: Install dependencies
+      run: npm install --no-audit
+
+    - name: Lint
+      # run only on master/dev branch and pull requests
+      if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request'
+      run: npm run lint:sarif
+
+    - name: Upload lint results
+      # run if lint failed and only on master/dev branch and pull requests
+      if: always() && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request')
+      uses: github/codeql-action/upload-sarif@b1e2c9b8bd0550a90e66c967d9795316f9f21910 # pin@codeql-bundle-20201008
+      with:
+        sarif_file: lint-results.sarif
+      continue-on-error: true