Fix dependencies vulnerabilities #1495
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD | |
on: | |
push: | |
branches: | |
- "master" | |
pull_request: | |
branches: | |
- "master" | |
release: | |
types: [published] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
NODE_VERSION: 20 | |
jobs: | |
# Run unit tests | |
unit_tests: | |
runs-on: ${{ matrix.os }} | |
name: Unit tests on ${{ matrix.os }} | |
if: always() | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Setup NodeJS ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: npm ci | |
- name: Run tests | |
run: npm run test-ci | |
env: | |
FORCE_COLOR: 3 | |
- name: Upload coverage to Codecov | |
if: ${{ github.event_name != 'release' }} | |
uses: codecov/codecov-action@v5 | |
with: | |
fail_ci_if_error: true | |
token: ${{ secrets.CODECOV_TOKEN }} | |
# Run linters on code | |
lint: | |
runs-on: ubuntu-latest | |
name: Lint code | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Setup NodeJS ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: npm ci | |
- name: Run prettier | |
run: npm run format-check | |
- name: Run eslint | |
run: npm run lint | |
# Test if build is successful | |
build: | |
runs-on: ubuntu-latest | |
name: Test build | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Setup NodeJS ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: npm ci | |
- name: Build Typescript | |
run: npm run build | |
- name: Package with NCC | |
run: npm run package | |
- name: Upload built action | |
uses: actions/upload-artifact@v4 | |
with: | |
name: built-action | |
path: | | |
dist/index.js | |
.github/ | |
action.yml | |
retention-days: 1 | |
if-no-files-found: error | |
include-hidden-files: true | |
# Test build of different python versions | |
create_matrix: | |
name: Create matrix | |
runs-on: ubuntu-latest | |
outputs: | |
matrix-json: ${{ steps.matrix.outputs.matrix }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Update pip | |
run: python -m pip install --upgrade pip | |
- name: Install wheel | |
run: pip install wheel | |
- name: Install requirements | |
run: pip install -r ./.github/scripts/requirements.txt | |
- name: Create matrix | |
id: matrix | |
run: python ./.github/scripts/create_python_matrix.py | |
test_python_build: | |
needs: [create_matrix, build] | |
runs-on: ${{ matrix.os }} | |
name: Test build Python ${{ matrix.python-version }} for ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.create_matrix.outputs.matrix-json) }} | |
steps: | |
- name: Download built action | |
uses: actions/download-artifact@v4 | |
with: | |
name: built-action | |
- name: Test action with Python ${{ matrix.python-version }} | |
id: build | |
uses: ./ | |
with: | |
python-version: ${{ matrix.python-version }} | |
allow-build: force | |
- name: Setup Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
id: setup | |
with: | |
python-version: ${{ steps.build.outputs.python-version }} | |
architecture: ${{ steps.build.outputs.architecture }} | |
- name: Setup pip | |
run: ./.github/scripts/setup_pip.ps1 | |
shell: pwsh | |
env: | |
PYTHON_VERSION: ${{ steps.setup.outputs.python-version }} | |
- name: Check Python version | |
run: python ./.github/scripts/check_python_version.py ${{ matrix.python-version }} | |
- name: Check strict Python version | |
run: python ./.github/scripts/check_python_version.py ${{ steps.build.outputs.python-version }} | |
check_test_python_build: | |
needs: test_python_build | |
if: always() | |
runs-on: ubuntu-latest | |
name: Check build is successfull for all Python versions | |
steps: | |
- name: Emit failure | |
if: ${{ needs.test_python_build.result != 'success' }} | |
run: exit 1 | |
- name: Emit success | |
run: echo All Python versions have been successfully built and installed... | |
# CodeQL security scan | |
codeql: | |
runs-on: ubuntu-latest | |
name: CodeQL Scan | |
if: ${{ github.event_name != 'release' }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: javascript-typescript | |
queries: security-and-quality | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@v3 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
# Update release tag | |
release: | |
if: ${{ github.event_name == 'release' }} | |
runs-on: ubuntu-latest | |
name: Build and release | |
needs: [build, lint, unit_tests, check_test_python_build] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
ref: ${{ github.event.release.tag_name }} | |
- name: Setup NodeJS ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: npm ci | |
- name: Build Typescript | |
run: npm run build | |
- name: Package with NCC | |
run: npm run package | |
- name: Force update tag | |
uses: JasonEtco/build-and-tag-action@v2 | |
env: | |
GITHUB_TOKEN: ${{ github.token }} |