Skip to content

bump dependencies (#3637) #1773

bump dependencies (#3637)

bump dependencies (#3637) #1773

name: Check Security and Quality
on:
# Analysis done to check for security and quality are often taken care of by vendor tools, such as SonarCloud, CodeQL, etc.
# We will not run these in PR pipelins for the following reasons:
# 1. In terms of quality checks, these analysis are often already covered by code checks (e.g. eslint) already set to run
# for PRs
# 2. Security checks are included meaning that these checks will have to go through a huge libraries of vulnerability checks
# from vendor, which could take up huge amount of time to run, which is not suitable to have in PR unless absolutely necessary.
# However, most of the problems detected by these checks are often security warnings and some other niche problems that we might
# or might not necessarily have to deal with (false positive, or belongs to test-only codepath)
push:
branches:
- master
- 'release/**'
jobs:
sonar-code-quality-check:
name: SonarCloud Code Quality Check
runs-on: ubuntu-latest
# NOTE: we cannot run this action in PR anyway because secrets are not accessible from forks
# See https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request
# See https://community.sonarsource.com/t/github-action-ci-build-fail-with-set-the-sonar-token-env-variable/38997
if: github.repository == 'finos/legend-studio'
steps:
- name: Checkout code
uses: actions/[email protected]
with:
fetch-depth: 0 # disabling shallow clone is recommended for improving relevancy of reporting
- name: Get Yarn cache directory path
id: yarn-cache-dir-path
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
- name: Setup Yarn cache
uses: actions/[email protected]
id: yarn-cache
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: ${{ runner.os }}-yarn-
- name: Setup Node
uses: actions/[email protected]
with:
node-version: 21
# Install step is needed for Typescript scanning to work properly since
# we refer to another packages in `tsconfig` files, which is used by Sonar
# See https://community.sonarsource.com/t/sonarts-is-not-able-to-analyse-typescript-files/21510/5
- name: Install dependencies
run: yarn
- name: SonarCloud scan
uses: sonarsource/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
codeql-code-quality-check:
name: CodeQL Code Quality Check
runs-on: ubuntu-latest
if: github.repository == 'finos/legend-studio'
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/[email protected]
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript
config-file: ./.github/codeql-config.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2