Skip to content

meta: bump ossf/scorecard-action from 2.3.3 to 2.4.0 #252

meta: bump ossf/scorecard-action from 2.3.3 to 2.4.0

meta: bump ossf/scorecard-action from 2.3.3 to 2.4.0 #252

# Security Notes
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.
name: Linting and Tests
on:
push:
branches:
- main
pull_request_target:
branches:
- main
types:
- labeled
merge_group:
defaults:
run:
# This ensures that the working directory is the root of the repository
working-directory: ./
permissions:
contents: read
actions: read
# This permission is required by `MishaKav/jest-coverage-comment`
pull-requests: write
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
jobs:
base:
name: Base Tasks
runs-on: ubuntu-latest
outputs:
turbo_args: ${{ steps.turborepo_arguments.outputs.turbo_args }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Provide Turborepo Arguments
# This step is responsible for providing a reusable string that can be used within other steps and jobs
# that use the `turbo` cli command as a way of easily providing shared arguments to the `turbo` command
id: turborepo_arguments
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
# See https://turbo.build/repo/docs/reference/command-line-reference/run#--force
run: echo "turbo_args=--force=true --cache-dir=.turbo/cache" >> "$GITHUB_OUTPUT"
lint:
# This Job should run either on `merge_groups` or `push` events
# or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request`
# since we want to run lint checks against any changes on pull requests, or the final patch on merge groups
# or if direct pushes happen to main (or when changes in general land on the `main` (default) branch)
# Note that the reason why we run this on pushes against `main` is that on rare cases, maintainers might do direct pushes against `main`
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target' &&
github.event.label.name == 'github_actions:pull-request')
name: Lint
runs-on: ubuntu-latest
needs: [base]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Git Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
# Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork
# we want to clone the fork's repository instead of the base repository
# this allows us to have the correct history tree of the perspective of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
# We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow
# is always running with the latest `ref` (changes) of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main`
# or the merge_group `ref`
ref: ${{ github.event.pull_request.head.ref || github.ref }}
- name: Set up pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
version: 8.15.6
- name: Restore Lint Cache
uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
.turbo/cache
node_modules/.cache
.eslintjscache
.stylelintcache
.prettiercache
# We want to restore Turborepo Cache and ESlint and Prettier Cache
# The ESLint and Prettier cache's are useful to reduce the overall runtime of ESLint and Prettier
# as they will only run on files that have changed since the last cached run
# this might of course lead to certain files not being checked against the linter, but the chances
# of such situation from happening are very slim as the checksums of both files would need to match
key: cache-lint-${{ hashFiles('pnpm-lock.json') }}-
restore-keys: |
cache-lint-${{ hashFiles('pnpm-lock.json') }}-
cache-lint-
- name: Set up Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# We want to ensure that the Node.js version running here respects our supported versions
node-version-file: ".nvmrc"
cache: "pnpm"
- name: Install pnpm packages
# We want to avoid npm from running the Audit Step and Funding messages on a CI environment
# We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted
run: CI=true pnpm i --ignore-scripts
- name: Run `turbo lint`
# We run the ESLint and Prettier commands on all Workflow triggers of the `Lint` job
# Note: Linting and Prettifying of files on Crowdin PRs is handled by the `translations-pr.yml` Workflow
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target')
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
# the `${{ needs.base.outputs.turbo_args }}` is a string substitution happening from the base job
run: npx --package=turbo@latest -- turbo lint:js lint:css prettier:fix ${{ needs.base.outputs.turbo_args}}
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
- name: Run `tsc build`
# We want to ensure that the whole codebase is passing and successfully compiles with TypeScript
run: npx --package=typescript@latest -- tsc --build .
- name: Save Lint Cache
# We only want to save caches on `push` events or `pull_request_target` events
# and if it is a `pull_request_target` event, we want to avoid saving the cache if the PR comes from Dependabot
# or if it comes from an automated Crowdin Pull Request
# The reason we save caches on `push` is because caches creates on `main` (default) branches can be reused within
# other Pull Requests and PRs coming from forks
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request_target' &&
startsWith(github.event.pull_request.head.ref, 'dependabot/') == false)
uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: |
.turbo/cache
node_modules/.cache
.eslintjscache
.stylelintcache
.prettiercache
key: cache-lint-${{ hashFiles('pnpm-lock.json') }}-${{ hashFiles('.turbo/cache/**') }}
tests:
# This Job should run either on `merge_groups` or `push` events
# or `pull_request_target` event with a `labeled` action with a label named `github_actions:pull-request`
# since we want to run lint checks against any changes on pull requests and on final patches against a pull request.
# We don't need to execute the tests again on pushes against (`main`) as the merge group should already handle that
if: |
(github.event_name == 'push' || github.event_name == 'merge_group') ||
(github.event_name == 'pull_request_target' &&
github.event.label.name == 'github_actions:pull-request')
name: Tests
runs-on: ubuntu-latest
needs: [base]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Git Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
# Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork
# we want to clone the fork's repository instead of the base repository
# this allows us to have the correct history tree of the perspective of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
# We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow
# is always running with the latest `ref` (changes) of the Pull Request's branch
# If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main`
# or the merge_group `ref`
ref: ${{ github.event.pull_request.head.ref || github.ref }}
fetch-depth: 0
- name: Set up pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
version: 8.15.6
- name: Set up Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# We want to ensure that the Node.js version running here respects our supported versions
node-version-file: ".nvmrc"
cache: "pnpm"
- name: Install pnpm packages
# We want to avoid npm from running the Audit Step and Funding messages on a CI environment
# We also use `npm i` instead of `npm ci` so that the node_modules/.cache folder doesn't get deleted
run: CI=true pnpm i --ignore-scripts
- name: Run Unit Tests
# We want to run Unit Tests in every circumstance, including Dependabot PRs to ensure
# that changes to dependencies or translations don't break the Unit Tests
# We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
# the `${{ needs.base.outputs.turbo_args }}` is a string substitution happening from the base job
run: npx --package=turbo@latest -- turbo test:unit ${{ needs.base.outputs.turbo_args }} -- --ci --coverage
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
NEXT_PUBLIC_SITE_NAME: ${{ secrets.NEXT_PUBLIC_SITE_NAME }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
- name: Jest Coverage Comment
# We don't need to post the Jest Coverage comment on Dependabot PRs
# as in general they introduce no changes to the Unit Tests and the Codebase
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request_target' &&
startsWith(github.event.pull_request.head.ref, 'dependabot/') == false)
# This comments the current Jest Coverage Report containing JUnit XML reports
# and a Code Coverage Summary
uses: MishaKav/jest-coverage-comment@434e6d2d37116d23d812809b61d499639842fa3b # v1.0.26
with:
title: "Unit Test Coverage Report"
junitxml-path: ./junit.xml
junitxml-title: Unit Test Report