From d692cb6290e28f1f176c65435b1be85469404e0b Mon Sep 17 00:00:00 2001 From: Valentin Laurin Date: Thu, 18 Nov 2021 17:11:56 +0000 Subject: [PATCH 1/5] Split quality and security checks --- .github/workflows/ci.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8dcfbfd..ff17b4a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -58,6 +58,21 @@ jobs: run: npm ci - name: Run tests run: npm test -- --coverage + + security_checks: + name: Security checks + needs: [ start ] + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Checkout + uses: actions/checkout@v2.4.0 + + - name: Setup NodeJS 12 + uses: actions/setup-node@v2.4.1 + with: + node-version: '12.x' + - name: Audit dependencies run: npm audit --audit-level=low --production @@ -82,7 +97,7 @@ jobs: publish: name: Publish - needs: [quality_checks, lint] + needs: [quality_checks, security_checks, lint] if: github.event_name == 'release' && github.event.action == 'released' runs-on: ubuntu-latest timeout-minutes: 5 @@ -118,7 +133,7 @@ jobs: end: name: End - needs: [start, quality_checks, lint, publish] + needs: [start, quality_checks, security_checks, lint, publish] if: always() runs-on: ubuntu-latest timeout-minutes: 5 @@ -129,10 +144,11 @@ jobs: id: summary env: QUALITY: ${{ needs.quality_checks.result }} + SECURITY: ${{ needs.security_checks.result }} LINT: ${{ needs.lint.result }} PUBLISH: ${{ needs.publish.result }} run: | - echo ::set-output name=success::$(if [[ "$QUALITY$LINT$PUBLISH" =~ ^(success|skipped)+$ ]]; then echo "true"; else echo "false"; fi) + echo ::set-output name=success::$(if [[ "$QUALITY$SECURITY$LINT$PUBLISH" =~ ^(success|skipped)+$ ]]; then echo "true"; else echo "false"; fi) - name: Notify slack success if: steps.summary.outputs.success == 'true' && env.SLACK_BOT_TOKEN != 0 uses: voxmedia/github-action-slack-notify-build@v1 From b7379c21b6abdf54758f188a00d48fd656bd5f4c Mon Sep 17 00:00:00 2001 From: Valentin Laurin Date: Thu, 18 Nov 2021 17:12:44 +0000 Subject: [PATCH 2/5] Run quality checks against Node 12, 14 and 16 Resolves #181 --- .github/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff17b4a..b555fe7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,6 +34,9 @@ jobs: needs: [start] runs-on: ubuntu-latest timeout-minutes: 5 + strategy: + matrix: + node: [ 12, 14, 16 ] steps: - name: Checkout uses: actions/checkout@v2.4.0 @@ -49,10 +52,10 @@ jobs: restore-keys: | ${{ runner.os }}-node- - - name: Setup NodeJS 12 + - name: Setup NodeJS ${{ matrix.node }} uses: actions/setup-node@v2.4.1 with: - node-version: '12.x' + node-version: ${{ matrix.node }} - name: Install deps run: npm ci From bdc55eeae4c5379420b541ddeb9f9f315d9e5698 Mon Sep 17 00:00:00 2001 From: Valentin Laurin Date: Thu, 18 Nov 2021 17:15:22 +0000 Subject: [PATCH 3/5] Uses default setup-node cache --- .github/workflows/ci.yml | 25 +++---------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b555fe7..8fbe1e9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,21 +41,11 @@ jobs: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Get npm cache directory - id: npm-cache - run: | - echo "::set-output name=dir::$(npm config get cache)" - - uses: actions/cache@v2.1.6 - with: - path: ${{ steps.npm-cache.outputs.dir }} - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - name: Setup NodeJS ${{ matrix.node }} uses: actions/setup-node@v2.4.1 with: node-version: ${{ matrix.node }} + cache: 'npm' - name: Install deps run: npm ci @@ -75,6 +65,7 @@ jobs: uses: actions/setup-node@v2.4.1 with: node-version: '12.x' + cache: 'npm' - name: Audit dependencies run: npm audit --audit-level=low --production @@ -108,21 +99,11 @@ jobs: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Get npm cache directory - id: npm-cache - run: | - echo "::set-output name=dir::$(npm config get cache)" - - uses: actions/cache@v2.1.6 - with: - path: ${{ steps.npm-cache.outputs.dir }} - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - name: Setup NodeJS 12 uses: actions/setup-node@v2.4.1 with: node-version: '12.x' + cache: 'npm' registry-url: https://registry.npmjs.org scope: '@quickcase' From edcdd6016d5eb1dd2469036bdd8b27930a664120 Mon Sep 17 00:00:00 2001 From: Valentin Laurin Date: Thu, 18 Nov 2021 17:16:36 +0000 Subject: [PATCH 4/5] Use Node 14 by default for CI --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8fbe1e9..bcd8609 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,10 +61,10 @@ jobs: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Setup NodeJS 12 + - name: Setup NodeJS 14 uses: actions/setup-node@v2.4.1 with: - node-version: '12.x' + node-version: '14' cache: 'npm' - name: Audit dependencies @@ -99,10 +99,10 @@ jobs: - name: Checkout uses: actions/checkout@v2.4.0 - - name: Setup NodeJS 12 + - name: Setup NodeJS 14 uses: actions/setup-node@v2.4.1 with: - node-version: '12.x' + node-version: '14' cache: 'npm' registry-url: https://registry.npmjs.org scope: '@quickcase' From 0eeebf08492cf725201689dcfbe308f23ee7daf7 Mon Sep 17 00:00:00 2001 From: Valentin Laurin Date: Thu, 18 Nov 2021 17:22:23 +0000 Subject: [PATCH 5/5] Remove CI start job Reduce noise by being more selective of messages posted to slack --- .github/workflows/ci.yml | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bcd8609..3bbc029 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,27 +11,8 @@ on: permissions: contents: read jobs: - start: - name: Start - runs-on: ubuntu-latest - timeout-minutes: 5 - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - outputs: - slack_message_id: ${{ steps.slack.outputs.message_id }} - steps: - - name: Notify slack starting - if: success() && env.SLACK_BOT_TOKEN != 0 - id: slack - uses: voxmedia/github-action-slack-notify-build@v1 - with: - channel: dev - status: STARTING - color: warning - quality_checks: name: Quality checks - needs: [start] runs-on: ubuntu-latest timeout-minutes: 5 strategy: @@ -54,7 +35,6 @@ jobs: security_checks: name: Security checks - needs: [ start ] runs-on: ubuntu-latest timeout-minutes: 5 steps: @@ -72,7 +52,6 @@ jobs: lint: name: Lint - needs: [start] if: github.ref != 'refs/heads/main' # Don't run for main branch runs-on: ubuntu-latest timeout-minutes: 10 @@ -117,7 +96,7 @@ jobs: end: name: End - needs: [start, quality_checks, security_checks, lint, publish] + needs: [quality_checks, security_checks, lint, publish] if: always() runs-on: ubuntu-latest timeout-minutes: 5 @@ -134,10 +113,9 @@ jobs: run: | echo ::set-output name=success::$(if [[ "$QUALITY$SECURITY$LINT$PUBLISH" =~ ^(success|skipped)+$ ]]; then echo "true"; else echo "false"; fi) - name: Notify slack success - if: steps.summary.outputs.success == 'true' && env.SLACK_BOT_TOKEN != 0 + if: steps.summary.outputs.success == 'true' && github.event_name == 'release' && env.SLACK_BOT_TOKEN != 0 uses: voxmedia/github-action-slack-notify-build@v1 with: - message_id: ${{ needs.start.outputs.slack_message_id }} channel: dev status: SUCCESS color: good @@ -145,7 +123,6 @@ jobs: if: steps.summary.outputs.success != 'true' && env.SLACK_BOT_TOKEN != 0 uses: voxmedia/github-action-slack-notify-build@v1 with: - message_id: ${{ needs.start.outputs.slack_message_id }} channel: dev status: FAILED color: danger