bump dependencies (#3637) #1773
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check Security and Quality | |
on: | |
# Analysis done to check for security and quality are often taken care of by vendor tools, such as SonarCloud, CodeQL, etc. | |
# We will not run these in PR pipelins for the following reasons: | |
# 1. In terms of quality checks, these analysis are often already covered by code checks (e.g. eslint) already set to run | |
# for PRs | |
# 2. Security checks are included meaning that these checks will have to go through a huge libraries of vulnerability checks | |
# from vendor, which could take up huge amount of time to run, which is not suitable to have in PR unless absolutely necessary. | |
# However, most of the problems detected by these checks are often security warnings and some other niche problems that we might | |
# or might not necessarily have to deal with (false positive, or belongs to test-only codepath) | |
push: | |
branches: | |
- master | |
- 'release/**' | |
jobs: | |
sonar-code-quality-check: | |
name: SonarCloud Code Quality Check | |
runs-on: ubuntu-latest | |
# NOTE: we cannot run this action in PR anyway because secrets are not accessible from forks | |
# See https://portal.productboard.com/sonarsource/1-sonarcloud/c/50-sonarcloud-analyzes-external-pull-request | |
# See https://community.sonarsource.com/t/github-action-ci-build-fail-with-set-the-sonar-token-env-variable/38997 | |
if: github.repository == 'finos/legend-studio' | |
steps: | |
- name: Checkout code | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 # disabling shallow clone is recommended for improving relevancy of reporting | |
- name: Get Yarn cache directory path | |
id: yarn-cache-dir-path | |
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT | |
- name: Setup Yarn cache | |
uses: actions/[email protected] | |
id: yarn-cache | |
with: | |
path: ${{ steps.yarn-cache-dir-path.outputs.dir }} | |
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: ${{ runner.os }}-yarn- | |
- name: Setup Node | |
uses: actions/[email protected] | |
with: | |
node-version: 21 | |
# Install step is needed for Typescript scanning to work properly since | |
# we refer to another packages in `tsconfig` files, which is used by Sonar | |
# See https://community.sonarsource.com/t/sonarts-is-not-able-to-analyse-typescript-files/21510/5 | |
- name: Install dependencies | |
run: yarn | |
- name: SonarCloud scan | |
uses: sonarsource/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
codeql-code-quality-check: | |
name: CodeQL Code Quality Check | |
runs-on: ubuntu-latest | |
if: github.repository == 'finos/legend-studio' | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout code | |
uses: actions/[email protected] | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: javascript | |
config-file: ./.github/codeql-config.yml | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 |