Skip to content

social-connect CI/CD for renovate/npm-firebase-tools-vulnerability #711

social-connect CI/CD for renovate/npm-firebase-tools-vulnerability

social-connect CI/CD for renovate/npm-firebase-tools-vulnerability #711

name: social-connect CI/CD
run-name: social-connect CI/CD for ${{ github.head_ref || github.ref_name }}
# Dockefile for the self-hosted runner:
# https://github.com/celo-org/infrastructure/blob/master/terraform/root-modules/gcp/integration-tests-gke/files/github-arc/Dockerfile-monorepo
on:
push:
branches:
- main
- changeset-release/prerelease/*
- changeset-release/main
pull_request:
branches:
- main
- prerelease/*
concurrency:
group: social-connect-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash --login -eo pipefail {0}
env:
# Increment these to force cache rebuilding
NODE_MODULE_CACHE_VERSION: 3
NODE_OPTIONS: '--max-old-space-size=4096'
TERM: dumb
GRADLE_OPTS: '-Dorg.gradle.daemon=false -Dorg.gradle.parallel=false -Dorg.gradle.configureondemand=true -Dorg.gradle.jvmargs="-Xmx4096m -XX:+HeapDumpOnOutOfMemoryError"'
jobs:
install-dependencies:
name: Install + Build
outputs:
package-json-checksum: ${{ steps.node-checksums.outputs.PACKAGE_JSON_CHECKSUM }}
# Propagate more outputs if you need https://github.com/tj-actions/changed-files#outputs
# Adding a initial comma so ',<path>' matches also for the first file
all_modified_files: ',${{ steps.changed-files.outputs.all_modified_files }}'
# runs-on: ubuntu-latest
runs-on: ['self-hosted', 'org', '8-cpu']
container:
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18
timeout-minutes: 30
steps:
- name: Restore .git cache
uses: actions/cache@v3
id: cache_git
with:
path: .git
key: git-${{ github.ref }}
restore-keys: |
git-
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect files changed in PR, and expose as output
id: changed-files
uses: tj-actions/changed-files@v41
with:
# Using comma as separator to be able to easily match full paths (using ,<path>)
separator: ','
# Checking if changed in the last 100 commits in PRs
fetch_depth: '100'
- run: echo ",${{ steps.changed-files.outputs.all_modified_files }}"
- name: Verify setup for incremental testing
run: |
set -euo pipefail
set -v
# To get the "main" branch mapping
git checkout main
git checkout ${GITHUB_SHA}
# Verify that following commands work, they are later called in the incremental testing script
# Their output does not matter here, the fact that they finish successfully does.
git rev-parse --abbrev-ref HEAD
git fetch --all --tags
- name: Calculate node cache keys
id: node-checksums
run: |
find . -maxdepth 5 -type f -name 'package.json' -not -path "*node_modules*" -print0 | sort -z | xargs -0 cat > $RUNNER_TEMP/package.checksum
echo "PACKAGE_JSON_CHECKSUM=$(md5sum $RUNNER_TEMP/package.checksum | cut -f1 -d' ')"
echo "PACKAGE_JSON_CHECKSUM=$(md5sum $RUNNER_TEMP/package.checksum | cut -f1 -d' ')" >> "$GITHUB_OUTPUT"
- name: Restore node cache
uses: actions/cache@v3
id: cache_node
with:
# We need to cache all the artifacts generated by yarn install+build
# Update this list also in .github/actions/sync-workspace/action.yml with exactly the same list
path: |
./.yarn/cache
node_modules
app/**/node_modules
packages/**/node_modules
examples/docs/node_modules
key: node-${{ runner.os }}-${{ runner.arch }}-${{ env.NODE_MODULE_CACHE_VERSION }}-${{ hashFiles('yarn.lock') }}-${{ steps.node-checksums.outputs.PACKAGE_JSON_CHECKSUM }}
restore-keys: |
node-${{ runner.os }}-${{ runner.arch }}-${{ env.NODE_MODULE_CACHE_VERSION }}-
# We use cache to share the build artifacts between jobs (gh artifacts are too slow...)
# For more context check https://github.com/actions/upload-artifact/issues/199
- name: Restore build artifacts cache
uses: actions/cache@v3
id: cache_build_artifacts
with:
# We need to cache all the artifacts generated by yarn install+build
# Update this list also in .github/actions/sync-workspace/action.yml with exactly the same list
path: |
packages/**/lib
packages/**/dist
apps/**/dist
key: code-${{ github.sha }}
restore-keys: |
code-${{ github.sha }}
- name: "enable corepack"
run : sudo corepack enable yarn
- name: Install yarn dependencies
# skip check due to YN0078: │ Invalid resolution @celo/odis-identifiers@npm:^1.0.0 → npm:1.0.0
run: git config --global url."https://".insteadOf ssh:// && yarn install --no-check-resolutions
- name: Fail if any file changed on git
run: |
# This fails if there is any change
if ! git diff-index HEAD --; then
echo "Git changes detected while building. If this is unexpected, bump NODE_MODULE_CACHE_VERSION in .github/workflows/social-connect.yml"
exit 1
fi
- name: Build packages
run: yarn build
- name: Check licenses
if: steps.cache_node.outputs.cache-hit != 'true'
run: |
yarn check-licenses
lint-checks:
name: Lint code
runs-on: ['self-hosted', 'org', '8-cpu']
container:
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18
timeout-minutes: 30
needs: install-dependencies
steps:
# Restore .git cache as we need to checkout the local composite action to run it:
# https://github.com/orgs/community/discussions/11771
- uses: actions/cache/restore@v3
id: cache_git
with:
path: .git
key: git-${{ github.ref }}
- uses: actions/checkout@v3
- name: Sync workspace
uses: ./.github/actions/sync-workspace
with:
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }}
- run: yarn run prettify:diff
- run: yarn run lint
- name: Dump GitHub context
# Use to debug github event and check user ids
if: false
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
echo "$GITHUB_CONTEXT"
- name: Filter paths
id: changes
uses: dorny/paths-filter@v2
with:
list-files: 'shell'
filters: |
markdown:
- added|deleted|modified: "((**/*.md)|(**.md))"
others:
- added|deleted|modified: "!((**/*.md)|(**.md))"
- name: Find ChangeSet in PR
uses: peter-evans/find-comment@v2
id: fc
# Skip if author is github-bot from celo-org or only md files changed
if: github.event_name == 'pull_request' && github.event.pull_request.user.type != 'Bot' && steps.changes.outputs.others == 'true'
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: Changeset detected
comment-author: changeset-bot[bot]
- name: Fail if Changeset commit not found
# Skip if author is github-bot from celo-org or only md files changed
if: github.event_name == 'pull_request' && github.event.pull_request.user.type != 'Bot' && steps.changes.outputs.others == 'true'
run: |
if ${{ steps.fc.outputs.comment-id == 0 }}; then
echo "Error: No Changeset Found. You create an empty changeset with 'yarn cs add --empty'" && exit 1
else
echo "Changeset Found"
fi
general-test:
name: General (identity + encrypted-backup) test
runs-on: ['self-hosted', 'org', '8-cpu']
container:
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18
needs: install-dependencies
steps:
- uses: actions/cache/restore@v3
id: cache_git
with:
path: .git
key: git-${{ github.ref }}
- uses: actions/checkout@v3
- name: Sync workspace
uses: ./.github/actions/sync-workspace
with:
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }}
- name: Run Odis Identifier Tests
run: |
yarn --cwd=packages/odis-identifiers test
- name: Run Encrypted Backup tests
run: |
yarn --cwd=packages/encrypted-backup test
- name: Run Identity Tests
run: |
yarn --cwd=packages/identity test
- name: Upload Jest Test Results
uses: actions/upload-artifact@v3
with:
name: Jest Test Results
path: test-results/jest
combiner-test:
name: Combiner test
runs-on: ['self-hosted', 'org', '8-cpu']
container:
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18
timeout-minutes: 30
needs: install-dependencies
if: |
github.base_ref == 'main' || contains(github.base_ref, 'staging') || contains(github.base_ref, 'production') ||
contains(needs.install-dependencies.outputs.all_modified_files, 'apps/combiner') ||
contains(needs.install-dependencies.outputs.all_modified_files, ',package.json') ||
contains(needs.install-dependencies.outputs.all_modified_files, ',yarn.lock') ||
false
steps:
- uses: actions/cache/restore@v3
id: cache_git
with:
path: .git
key: git-${{ github.ref }}
- uses: actions/checkout@v3
- name: Sync workspace
uses: ./.github/actions/sync-workspace
with:
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }}
- name: Run Tests for combiner
run: |
yarn --cwd=apps/combiner test:coverage
odis-test:
name: ODIS (signer + common) test
needs: install-dependencies
runs-on: ['self-hosted', 'org', '8-cpu']
container:
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18
timeout-minutes: 30
if: |
github.base_ref == 'main' || contains(github.base_ref, 'staging') || contains(github.base_ref, 'production') ||
contains(needs.install-dependencies.outputs.all_modified_files, 'packages') ||
contains(needs.install-dependencies.outputs.all_modified_files, 'apps/signer') ||
contains(needs.install-dependencies.outputs.all_modified_files, ',package.json') ||
contains(needs.install-dependencies.outputs.all_modified_files, ',yarn.lock') ||
false
steps:
- uses: actions/cache/restore@v3
id: cache_git
with:
path: .git
key: git-${{ github.ref }}
- uses: actions/checkout@v4
- name: Sync workspace
uses: ./.github/actions/sync-workspace
with:
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }}
- name: Run Tests for common package
run: |
yarn --cwd=packages/common test:coverage
- name: Run Tests for signer
run: |
yarn --cwd=apps/signer test:coverage