meta: bump ossf/scorecard-action from 2.3.3 to 2.4.0 #192
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Security Notes | |
# This workflow uses `pull_request_target`, so will run against all PRs automatically (without approval), be careful with allowing any user-provided code to be run here | |
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions) | |
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions. | |
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!! | |
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags. | |
# MERGE QUEUE NOTE: This Workflow does not run on `merge_group` trigger, as this Workflow is not required for Merge Queue's | |
name: Lighthouse | |
on: | |
pull_request_target: | |
branches: | |
- main | |
types: | |
- labeled | |
defaults: | |
run: | |
# This ensures that the working directory is the root of the repository | |
working-directory: ./ | |
permissions: | |
contents: read | |
actions: read | |
# This permission is required by `thollander/actions-comment-pull-request` | |
pull-requests: write | |
jobs: | |
lighthouse-ci: | |
# We want to skip our lighthouse analysis on Dependabot PRs | |
if: | | |
startsWith(github.event.pull_request.head.ref, 'dependabot/') == false && | |
github.event.label.name == 'github_actions:pull-request' | |
name: Lighthouse Report | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Git Checkout | |
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
with: | |
# Since we checkout the HEAD of the current Branch, if the Pull Request comes from a Fork | |
# we want to clone the fork's repository instead of the base repository | |
# this allows us to have the correct history tree of the perspective of the Pull Request's branch | |
# If the Workflow is running on `merge_group` or `push` events it fallsback to the base repository | |
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} | |
# We checkout the branch itself instead of a specific SHA (Commit) as we want to ensure that this Workflow | |
# is always running with the latest `ref` (changes) of the Pull Request's branch | |
# If the Workflow is running on `merge_group` or `push` events it fallsback to `github.ref` which will often be `main` | |
# or the merge_group `ref` | |
ref: ${{ github.event.pull_request.head.ref || github.ref }} | |
- name: Add Comment to PR | |
# Signal that a lighthouse run is about to start | |
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 | |
with: | |
message: | | |
Running Lighthouse audit... | |
# Used later to edit the existing comment | |
comment_tag: "lighthouse_audit" | |
- name: Capture Vercel Preview | |
uses: patrickedqvist/wait-for-vercel-preview@dca4940010f36d2d44caa487087a09b57939b24a # v1.3.1 | |
id: vercel_preview_url | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
# timeout after 5 minutes | |
max_timeout: 300 | |
# check every 10 seconds | |
check_interval: 10 | |
- name: Audit Preview URL with Lighthouse | |
# Conduct the lighthouse audit | |
id: lighthouse_audit | |
uses: treosh/lighthouse-ci-action@1b0e7c33270fbba31a18a0fbb1de7cc5256b6d39 # v11.4.0 | |
with: | |
# Defines the settings and assertions to audit | |
configPath: "./.lighthouserc.json" | |
# These URLS capture critical pages / site functionality. | |
urls: | | |
${{ steps.vercel_preview_url.outputs.url }}/ | |
uploadArtifacts: true # save results as a action artifacts | |
temporaryPublicStorage: true # upload lighthouse report to the temporary storage | |
- name: Format Lighthouse Score | |
# Transform the audit results into a single, friendlier output | |
id: format_lighthouse_score | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
# using env as input to our script | |
# see https://github.com/actions/github-script#use-env-as-input | |
LIGHTHOUSE_RESULT: ${{ steps.lighthouse_audit.outputs.manifest }} | |
LIGHTHOUSE_LINKS: ${{ steps.lighthouse_audit.outputs.links }} | |
VERCEL_PREVIEW_URL: ${{ steps.vercel_preview_url.outputs.url }} | |
with: | |
# Run as a separate file so we do not have to inline all of our formatting logic. | |
# See https://github.com/actions/github-script#run-a-separate-file for more info. | |
script: | | |
const { formatLighthouseResults } = await import('${{github.workspace}}/lib/lighthouse/index.mjs') | |
await formatLighthouseResults({core}) | |
- name: Add Comment to PR | |
# Replace the previous message with our formatted lighthouse results | |
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 | |
with: | |
# Reference the previously created comment | |
comment_tag: "lighthouse_audit" | |
message: | | |
${{ steps.format_lighthouse_score.outputs.comment }} |