social-connect CI/CD for renovate/npm-firebase-tools-vulnerability #711
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: social-connect CI/CD | |
run-name: social-connect CI/CD for ${{ github.head_ref || github.ref_name }} | |
# Dockefile for the self-hosted runner: | |
# https://github.com/celo-org/infrastructure/blob/master/terraform/root-modules/gcp/integration-tests-gke/files/github-arc/Dockerfile-monorepo | |
on: | |
push: | |
branches: | |
- main | |
- changeset-release/prerelease/* | |
- changeset-release/main | |
pull_request: | |
branches: | |
- main | |
- prerelease/* | |
concurrency: | |
group: social-connect-${{ github.ref }} | |
cancel-in-progress: true | |
defaults: | |
run: | |
shell: bash --login -eo pipefail {0} | |
env: | |
# Increment these to force cache rebuilding | |
NODE_MODULE_CACHE_VERSION: 3 | |
NODE_OPTIONS: '--max-old-space-size=4096' | |
TERM: dumb | |
GRADLE_OPTS: '-Dorg.gradle.daemon=false -Dorg.gradle.parallel=false -Dorg.gradle.configureondemand=true -Dorg.gradle.jvmargs="-Xmx4096m -XX:+HeapDumpOnOutOfMemoryError"' | |
jobs: | |
install-dependencies: | |
name: Install + Build | |
outputs: | |
package-json-checksum: ${{ steps.node-checksums.outputs.PACKAGE_JSON_CHECKSUM }} | |
# Propagate more outputs if you need https://github.com/tj-actions/changed-files#outputs | |
# Adding a initial comma so ',<path>' matches also for the first file | |
all_modified_files: ',${{ steps.changed-files.outputs.all_modified_files }}' | |
# runs-on: ubuntu-latest | |
runs-on: ['self-hosted', 'org', '8-cpu'] | |
container: | |
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18 | |
timeout-minutes: 30 | |
steps: | |
- name: Restore .git cache | |
uses: actions/cache@v3 | |
id: cache_git | |
with: | |
path: .git | |
key: git-${{ github.ref }} | |
restore-keys: | | |
git- | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Detect files changed in PR, and expose as output | |
id: changed-files | |
uses: tj-actions/changed-files@v41 | |
with: | |
# Using comma as separator to be able to easily match full paths (using ,<path>) | |
separator: ',' | |
# Checking if changed in the last 100 commits in PRs | |
fetch_depth: '100' | |
- run: echo ",${{ steps.changed-files.outputs.all_modified_files }}" | |
- name: Verify setup for incremental testing | |
run: | | |
set -euo pipefail | |
set -v | |
# To get the "main" branch mapping | |
git checkout main | |
git checkout ${GITHUB_SHA} | |
# Verify that following commands work, they are later called in the incremental testing script | |
# Their output does not matter here, the fact that they finish successfully does. | |
git rev-parse --abbrev-ref HEAD | |
git fetch --all --tags | |
- name: Calculate node cache keys | |
id: node-checksums | |
run: | | |
find . -maxdepth 5 -type f -name 'package.json' -not -path "*node_modules*" -print0 | sort -z | xargs -0 cat > $RUNNER_TEMP/package.checksum | |
echo "PACKAGE_JSON_CHECKSUM=$(md5sum $RUNNER_TEMP/package.checksum | cut -f1 -d' ')" | |
echo "PACKAGE_JSON_CHECKSUM=$(md5sum $RUNNER_TEMP/package.checksum | cut -f1 -d' ')" >> "$GITHUB_OUTPUT" | |
- name: Restore node cache | |
uses: actions/cache@v3 | |
id: cache_node | |
with: | |
# We need to cache all the artifacts generated by yarn install+build | |
# Update this list also in .github/actions/sync-workspace/action.yml with exactly the same list | |
path: | | |
./.yarn/cache | |
node_modules | |
app/**/node_modules | |
packages/**/node_modules | |
examples/docs/node_modules | |
key: node-${{ runner.os }}-${{ runner.arch }}-${{ env.NODE_MODULE_CACHE_VERSION }}-${{ hashFiles('yarn.lock') }}-${{ steps.node-checksums.outputs.PACKAGE_JSON_CHECKSUM }} | |
restore-keys: | | |
node-${{ runner.os }}-${{ runner.arch }}-${{ env.NODE_MODULE_CACHE_VERSION }}- | |
# We use cache to share the build artifacts between jobs (gh artifacts are too slow...) | |
# For more context check https://github.com/actions/upload-artifact/issues/199 | |
- name: Restore build artifacts cache | |
uses: actions/cache@v3 | |
id: cache_build_artifacts | |
with: | |
# We need to cache all the artifacts generated by yarn install+build | |
# Update this list also in .github/actions/sync-workspace/action.yml with exactly the same list | |
path: | | |
packages/**/lib | |
packages/**/dist | |
apps/**/dist | |
key: code-${{ github.sha }} | |
restore-keys: | | |
code-${{ github.sha }} | |
- name: "enable corepack" | |
run : sudo corepack enable yarn | |
- name: Install yarn dependencies | |
# skip check due to YN0078: │ Invalid resolution @celo/odis-identifiers@npm:^1.0.0 → npm:1.0.0 | |
run: git config --global url."https://".insteadOf ssh:// && yarn install --no-check-resolutions | |
- name: Fail if any file changed on git | |
run: | | |
# This fails if there is any change | |
if ! git diff-index HEAD --; then | |
echo "Git changes detected while building. If this is unexpected, bump NODE_MODULE_CACHE_VERSION in .github/workflows/social-connect.yml" | |
exit 1 | |
fi | |
- name: Build packages | |
run: yarn build | |
- name: Check licenses | |
if: steps.cache_node.outputs.cache-hit != 'true' | |
run: | | |
yarn check-licenses | |
lint-checks: | |
name: Lint code | |
runs-on: ['self-hosted', 'org', '8-cpu'] | |
container: | |
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18 | |
timeout-minutes: 30 | |
needs: install-dependencies | |
steps: | |
# Restore .git cache as we need to checkout the local composite action to run it: | |
# https://github.com/orgs/community/discussions/11771 | |
- uses: actions/cache/restore@v3 | |
id: cache_git | |
with: | |
path: .git | |
key: git-${{ github.ref }} | |
- uses: actions/checkout@v3 | |
- name: Sync workspace | |
uses: ./.github/actions/sync-workspace | |
with: | |
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }} | |
- run: yarn run prettify:diff | |
- run: yarn run lint | |
- name: Dump GitHub context | |
# Use to debug github event and check user ids | |
if: false | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
echo "$GITHUB_CONTEXT" | |
- name: Filter paths | |
id: changes | |
uses: dorny/paths-filter@v2 | |
with: | |
list-files: 'shell' | |
filters: | | |
markdown: | |
- added|deleted|modified: "((**/*.md)|(**.md))" | |
others: | |
- added|deleted|modified: "!((**/*.md)|(**.md))" | |
- name: Find ChangeSet in PR | |
uses: peter-evans/find-comment@v2 | |
id: fc | |
# Skip if author is github-bot from celo-org or only md files changed | |
if: github.event_name == 'pull_request' && github.event.pull_request.user.type != 'Bot' && steps.changes.outputs.others == 'true' | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
body-includes: Changeset detected | |
comment-author: changeset-bot[bot] | |
- name: Fail if Changeset commit not found | |
# Skip if author is github-bot from celo-org or only md files changed | |
if: github.event_name == 'pull_request' && github.event.pull_request.user.type != 'Bot' && steps.changes.outputs.others == 'true' | |
run: | | |
if ${{ steps.fc.outputs.comment-id == 0 }}; then | |
echo "Error: No Changeset Found. You create an empty changeset with 'yarn cs add --empty'" && exit 1 | |
else | |
echo "Changeset Found" | |
fi | |
general-test: | |
name: General (identity + encrypted-backup) test | |
runs-on: ['self-hosted', 'org', '8-cpu'] | |
container: | |
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18 | |
needs: install-dependencies | |
steps: | |
- uses: actions/cache/restore@v3 | |
id: cache_git | |
with: | |
path: .git | |
key: git-${{ github.ref }} | |
- uses: actions/checkout@v3 | |
- name: Sync workspace | |
uses: ./.github/actions/sync-workspace | |
with: | |
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }} | |
- name: Run Odis Identifier Tests | |
run: | | |
yarn --cwd=packages/odis-identifiers test | |
- name: Run Encrypted Backup tests | |
run: | | |
yarn --cwd=packages/encrypted-backup test | |
- name: Run Identity Tests | |
run: | | |
yarn --cwd=packages/identity test | |
- name: Upload Jest Test Results | |
uses: actions/upload-artifact@v3 | |
with: | |
name: Jest Test Results | |
path: test-results/jest | |
combiner-test: | |
name: Combiner test | |
runs-on: ['self-hosted', 'org', '8-cpu'] | |
container: | |
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18 | |
timeout-minutes: 30 | |
needs: install-dependencies | |
if: | | |
github.base_ref == 'main' || contains(github.base_ref, 'staging') || contains(github.base_ref, 'production') || | |
contains(needs.install-dependencies.outputs.all_modified_files, 'apps/combiner') || | |
contains(needs.install-dependencies.outputs.all_modified_files, ',package.json') || | |
contains(needs.install-dependencies.outputs.all_modified_files, ',yarn.lock') || | |
false | |
steps: | |
- uses: actions/cache/restore@v3 | |
id: cache_git | |
with: | |
path: .git | |
key: git-${{ github.ref }} | |
- uses: actions/checkout@v3 | |
- name: Sync workspace | |
uses: ./.github/actions/sync-workspace | |
with: | |
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }} | |
- name: Run Tests for combiner | |
run: | | |
yarn --cwd=apps/combiner test:coverage | |
odis-test: | |
name: ODIS (signer + common) test | |
needs: install-dependencies | |
runs-on: ['self-hosted', 'org', '8-cpu'] | |
container: | |
image: us-west1-docker.pkg.dev/devopsre/actions-runner-controller/celo-monorepo:node18 | |
timeout-minutes: 30 | |
if: | | |
github.base_ref == 'main' || contains(github.base_ref, 'staging') || contains(github.base_ref, 'production') || | |
contains(needs.install-dependencies.outputs.all_modified_files, 'packages') || | |
contains(needs.install-dependencies.outputs.all_modified_files, 'apps/signer') || | |
contains(needs.install-dependencies.outputs.all_modified_files, ',package.json') || | |
contains(needs.install-dependencies.outputs.all_modified_files, ',yarn.lock') || | |
false | |
steps: | |
- uses: actions/cache/restore@v3 | |
id: cache_git | |
with: | |
path: .git | |
key: git-${{ github.ref }} | |
- uses: actions/checkout@v4 | |
- name: Sync workspace | |
uses: ./.github/actions/sync-workspace | |
with: | |
package-json-checksum: ${{ needs.install-dependencies.outputs.package-json-checksum }} | |
- name: Run Tests for common package | |
run: | | |
yarn --cwd=packages/common test:coverage | |
- name: Run Tests for signer | |
run: | | |
yarn --cwd=apps/signer test:coverage |