Skip to content

Commit

Permalink
ci: align CI configuration
Browse files Browse the repository at this point in the history 
see: loopbackio/cicd#91
see: loopbackio/cicd#90
see: loopbackio/cicd#89
see: loopbackio/cicd#83
see: loopbackio/security#27
see: loopbackio/security#26
see: loopbackio/security#23
see: loopbackio/security#16

Signed-off-by: Rifa Achrinza <[email protected]>
  • Loading branch information
@achrinza
achrinza committed Nov 9, 2023
1 parent 9f9baf3 commit c20006d
Show file tree
Hide file tree
Showing 4 changed files with 1,911 additions and 31 deletions.
132 changes: 109 additions & 23 deletions .github/workflows/continuous-integration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,66 +9,152 @@ on:
schedule:
- cron: '0 2 * * 1' # At 02:00 on Monday

env:
NODE_OPTIONS: --max-old-space-size=4096
permissions: {}

jobs:
test:
name: Test
timeout-minutes: 15
timeout-minutes: 5
strategy:
matrix:
os: [ubuntu-latest]
node-version: [16, 18]
node-version:
- 16
- 18
- 20
- 21
include:
- os: macos-latest
node-version: 16 # LTS
node-version: 20 # LTS
- os: windows-latest
node-version: 20 # LTS
fail-fast: false
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
fetch-depth: 0
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Bootstrap project
run: |
npm ci --ignore-scripts
- uses: Yuri6037/[email protected]
run: npm ci --ignore-scripts --prefer-offline
- uses: Yuri6037/Action-FakeTTY@1abc69c7d530815855caedcd73842bae5687c1a6 # v1.1
- name: Run tests
run: faketty npm test --ignore-scripts

code-lint:
name: Code Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
- name: Use Node.js 16
uses: actions/setup-node@v3
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Use Node.js 20
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: 16
node-version: 20
cache: 'npm'
- name: Bootstrap project
run: |
npm ci --ignore-scripts
npm ci \
--ignore-scripts \
--prefer-offline
- name: Verify code linting
run: npm run lint
run: npm run lint --ignore-scripts

commit-lint:
name: Commit Lint
runs-on: ubuntu-latest
if: ${{ github.event.pull_request }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Use Node.js 16
uses: actions/setup-node@v3
persist-credentials: false
- name: Use Node.js 20
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: 20
cache: npm
- name: Bootstrap project
run: |
npm ci \
--ignore-scripts \
--prefer-offline
- name: Verify commit linting
run: |
npm exec \
--no-install \
--package=@commitlint/cli \
-- \
commitlint \
--from=origin/master \
--to=HEAD \
--verbose
lockfile-lint:
name: Lockfile Lint
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
node-version: 16
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Use Node.js 20
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: 20
cache: npm
- name: Bootstrap project
run: |
npm ci --ignore-scripts
npm ci \
--ignore-scripts \
--prefer-offline
- name: Verify commit linting
run: npx commitlint --from origin/master --to HEAD --verbose
run: |
npm exec \
--no-install \
--package=lockfile-lint \
-- \
lockfile-lint \
--path=package-lock.json \
--allowed-hosts=npm \
--validate-https \
--validate-integrity \
--validate-package-names
70 changes: 70 additions & 0 deletions .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Based on `scorecard.yml` Github Actions starter workflow:
# https://github.com/actions/starter-workflows/blob/b1df8a546ed4d0f27d46aaf2f8ac1118bc522638/code-scanning/scorecard.yml

# This is separate from the CI workflow due to certain restrictions imposed by the GitHub Action action:
# https://github.com/ossf/scorecard-action/tree/99cc02c8ee27bab5f5f41e79066e0de91d313dec#workflow-restrictions
# For consistency, we should keep it a separate workflow across all our Github repositories, regardless if it's actually needed.

name: OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule: {}
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '30 6 * * 5'
push:
branches: [master]
# Added for testing the workflow, as PR triggers are currently not supported by the OSSF Scorecard Action.
workflow_dispatch: {}

# Declare default permissions as read only.
# permissions: read-all
permissions: {}

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write

steps:
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
disable-sudo: true
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: OSSF Scorecard SARIF file
path: results.sarif
retention-days: 90

# Upload the results to GitHub's code scanning dashboard.
- uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
with:
sarif_file: results.sarif
Loading

0 comments on commit c20006d

Please sign in to comment.