Skip to content

Enable supply chain security through npm provenance attestation #32504

Enable supply chain security through npm provenance attestation

Enable supply chain security through npm provenance attestation #32504

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release-*
pull_request:
branches:
- main
- release-*
permissions:
contents: read
# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
defaults:
run:
shell: bash
jobs:
test:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- windows-latest
- macos-14
node-version:
- '22'
- '20'
- '18'
- '16'
- '14'
bundle:
- 'true'
include:
- node-version: 'lts/*'
bundle: false
os: ubuntu-latest
exclude:
# No Node 14 on ARM macOS
- node-version: '14'
os: macos-14
runs-on: ${{ matrix.os }}
name: Test Node ${{ matrix.node-version }} on ${{ matrix.os }}${{ (!matrix.bundle && ' with --no-bundle') || '' }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use node version ${{ matrix.node-version }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ matrix.node-version }}
check-latest: true
- run: npm ci
- name: Tests
id: test
# run tests, but lint separately
run: npm run test -- --no-lint --bundle=${{ matrix.bundle }}
- name: Print baseline diff on failure
if: ${{ failure() && steps.test.conclusion == 'failure' }}
run: |
npx hereby baseline-accept
git add tests/baselines/reference
git diff --staged --exit-code
coverage:
runs-on:
- 'self-hosted'
- '1ES.Pool=TypeScript-1ES-GitHub-Large'
- '1ES.ImageOverride=ubuntu-22.04'
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Run tests with coverage
run: npm test -- --no-lint --coverage
- name: Upload coverage artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: coverage
path: coverage
- uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}
disable_search: true
files: ./coverage/codecov.json
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Linter
run: npm run lint
knip:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Unused exports
run: npm run knip
format:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ~/.cache/dprint
key: ${{ runner.os }}-dprint-${{ hashFiles('package-lock.json', '.dprint.jsonc') }}
restore-keys: |
${{ runner.os }}-dprint-
- name: Check formatting
run: npx dprint check
browser-integration:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Installing browsers
run: npx playwright install --with-deps
- name: Validate the browser can import TypeScript
run: npx hereby test-browser-integration
typecheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Build src
run: npx hereby build-src
smoke:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: |
npm --version
# corepack enable npm
npm install -g $(jq -r '.packageManager' < package.json)
npm --version
- run: npm ci
- run: npx hereby lkg
- run: |
node ./scripts/addPackageJsonGitHead.mjs package.json
npm pack
mv typescript*.tgz typescript.tgz
echo "package=$PWD/typescript.tgz" >> "$GITHUB_OUTPUT"
id: pack
- name: Smoke test
run: |
cd "$(mktemp -d)"
npm init --yes
npm install ${{ steps.pack.outputs.package }}
echo "Testing tsc..."
npx tsc --version
echo "Testing tsserver..."
echo '{"seq": 1, "command": "status"}' | npx tsserver
node $GITHUB_WORKSPACE/scripts/checkModuleFormat.mjs typescript
node $GITHUB_WORKSPACE/scripts/checkModuleFormat.mjs typescript/lib/tsserverlibrary
package-size:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: pr
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
ref: ${{ github.base_ref }}
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: |
npm --version
# corepack enable npm
- run: |
npm install -g $(jq -r '.packageManager' < package.json)
npm --version
working-directory: ./pr
- run: npm ci
working-directory: ./pr
- run: npm ci
working-directory: ./base
- run: npx hereby lkg
working-directory: ./pr
- run: npx hereby lkg
working-directory: ./base
- run: |
echo "See $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID for more info."
node ./pr/scripts/checkPackageSize.mjs ./base ./pr >> $GITHUB_STEP_SUMMARY
misc:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Build scripts
run: npx hereby scripts
- name: ESLint tests
run: npx hereby run-eslint-rules-tests
self-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Build tsc
run: npx hereby tsc
- name: Clean
run: npx hereby clean-src
- name: Self build
run: npx hereby build-src --built
baselines:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 'lts/*'
- run: npm ci
- name: Remove all baselines
run: rm -rf tests/baselines/reference
- name: Run tests
run: npm test &> /dev/null || exit 0
- name: Accept baselines
run: |
npx hereby baseline-accept
git add tests/baselines/reference
- name: Check baselines
id: check-baselines
run: |
function print_diff() {
if ! git diff --staged --exit-code --quiet --diff-filter=$1; then
echo "$2:"
git diff --staged --name-only --diff-filter=$1
fi
}
if ! git diff --staged --exit-code --quiet; then
print_diff ACR "Missing baselines"
print_diff MTUXB "Modified baselines"
print_diff D "Unused baselines"
git diff --staged > fix_baselines.patch
exit 1
fi
- name: Upload baseline diff artifact
if: ${{ failure() && steps.check-baselines.conclusion == 'failure' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: fix_baselines.patch
path: fix_baselines.patch