diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8dcfbfd..3bbc029 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,59 +11,47 @@ on: permissions: contents: read jobs: - start: - name: Start - runs-on: ubuntu-latest - timeout-minutes: 5 - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - outputs: - slack_message_id: ${{ steps.slack.outputs.message_id }} - steps: - - name: Notify slack starting - if: success() && env.SLACK_BOT_TOKEN != 0 - id: slack - uses: voxmedia/github-action-slack-notify-build@v1 - with: - channel: dev - status: STARTING - color: warning - quality_checks: name: Quality checks - needs: [start] runs-on: ubuntu-latest timeout-minutes: 5 + strategy: + matrix: + node: [ 12, 14, 16 ] steps: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Get npm cache directory - id: npm-cache - run: | - echo "::set-output name=dir::$(npm config get cache)" - - uses: actions/cache@v2.1.6 - with: - path: ${{ steps.npm-cache.outputs.dir }} - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - - name: Setup NodeJS 12 + - name: Setup NodeJS ${{ matrix.node }} uses: actions/setup-node@v2.4.1 with: - node-version: '12.x' + node-version: ${{ matrix.node }} + cache: 'npm' - name: Install deps run: npm ci - name: Run tests run: npm test -- --coverage + + security_checks: + name: Security checks + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Checkout + uses: actions/checkout@v2.4.0 + + - name: Setup NodeJS 14 + uses: actions/setup-node@v2.4.1 + with: + node-version: '14' + cache: 'npm' + - name: Audit dependencies run: npm audit --audit-level=low --production lint: name: Lint - needs: [start] if: github.ref != 'refs/heads/main' # Don't run for main branch runs-on: ubuntu-latest timeout-minutes: 10 @@ -82,7 +70,7 @@ jobs: publish: name: Publish - needs: [quality_checks, lint] + needs: [quality_checks, security_checks, lint] if: github.event_name == 'release' && github.event.action == 'released' runs-on: ubuntu-latest timeout-minutes: 5 @@ -90,21 +78,11 @@ jobs: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Get npm cache directory - id: npm-cache - run: | - echo "::set-output name=dir::$(npm config get cache)" - - uses: actions/cache@v2.1.6 - with: - path: ${{ steps.npm-cache.outputs.dir }} - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - - name: Setup NodeJS 12 + - name: Setup NodeJS 14 uses: actions/setup-node@v2.4.1 with: - node-version: '12.x' + node-version: '14' + cache: 'npm' registry-url: https://registry.npmjs.org scope: '@quickcase' @@ -118,7 +96,7 @@ jobs: end: name: End - needs: [start, quality_checks, lint, publish] + needs: [quality_checks, security_checks, lint, publish] if: always() runs-on: ubuntu-latest timeout-minutes: 5 @@ -129,15 +107,15 @@ jobs: id: summary env: QUALITY: ${{ needs.quality_checks.result }} + SECURITY: ${{ needs.security_checks.result }} LINT: ${{ needs.lint.result }} PUBLISH: ${{ needs.publish.result }} run: | - echo ::set-output name=success::$(if [[ "$QUALITY$LINT$PUBLISH" =~ ^(success|skipped)+$ ]]; then echo "true"; else echo "false"; fi) + echo ::set-output name=success::$(if [[ "$QUALITY$SECURITY$LINT$PUBLISH" =~ ^(success|skipped)+$ ]]; then echo "true"; else echo "false"; fi) - name: Notify slack success - if: steps.summary.outputs.success == 'true' && env.SLACK_BOT_TOKEN != 0 + if: steps.summary.outputs.success == 'true' && github.event_name == 'release' && env.SLACK_BOT_TOKEN != 0 uses: voxmedia/github-action-slack-notify-build@v1 with: - message_id: ${{ needs.start.outputs.slack_message_id }} channel: dev status: SUCCESS color: good @@ -145,7 +123,6 @@ jobs: if: steps.summary.outputs.success != 'true' && env.SLACK_BOT_TOKEN != 0 uses: voxmedia/github-action-slack-notify-build@v1 with: - message_id: ${{ needs.start.outputs.slack_message_id }} channel: dev status: FAILED color: danger