ci(deps): Bump the actions-org group across 1 directory with 2 updates #120
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| security-events: write | |
| actions: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| FORCE_COLOR: 1 | |
| NODE_OPTIONS: --max-old-space-size=4096 | |
| CI: true | |
| VITEST_MIN_COVERAGE: 80 | |
| jobs: | |
| security-scan: | |
| name: Security Scanning (Node.js ${{ matrix.node-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: [22, 24] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0 # v4.1.0 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run secret detection with GitLeaks | |
| run: | | |
| echo "Installing gitleaks for secret detection..." | |
| curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz | tar xz | |
| chmod +x gitleaks | |
| echo "Scanning for secrets in repository..." | |
| ./gitleaks detect --source . --verbose --report-format sarif --report-path gitleaks-report.sarif || { | |
| echo "::warning::Secret detection scan completed with findings" | |
| cat gitleaks-report.sarif | |
| } | |
| echo "Secret detection scan completed" | |
| license-compliance: | |
| name: License Compliance (Node.js ${{ matrix.node-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: [22, 24] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0 # v4.1.0 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Validate dependency licenses | |
| run: pnpm run license-check | |
| setup: | |
| name: Setup and Cache | |
| runs-on: ubuntu-latest | |
| outputs: | |
| cache-key: ${{ steps.cache-keys.outputs.cache-key }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Generate cache keys | |
| id: cache-keys | |
| run: | | |
| echo "cache-key=node-modules-${{ hashFiles('pnpm-lock.yaml') }}" >> "$GITHUB_OUTPUT" | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ steps.cache-keys.outputs.cache-key }} | |
| restore-keys: | | |
| node-modules- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| typecheck: | |
| name: Type Check | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ needs.setup.outputs.cache-key }} | |
| restore-keys: | | |
| node-modules- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run type checking | |
| run: pnpm run check | |
| lint: | |
| name: Lint & Format | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ needs.setup.outputs.cache-key }} | |
| restore-keys: | | |
| node-modules- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Check formatting | |
| run: pnpm run format:check | |
| - name: Run linter | |
| run: pnpm run lint --max-warnings=0 | |
| test: | |
| name: Test (Node.js ${{ matrix.node-version }}) | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: [22, 24] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@f2b2b233b538f500472c7274c7012f57857d8ce0 # v4.1.0 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ needs.setup.outputs.cache-key }} | |
| restore-keys: | | |
| node-modules- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run tests with coverage | |
| run: pnpm run test:coverage | |
| - name: Upload coverage to Codecov | |
| if: matrix.node-version == 22 | |
| uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./coverage/lcov.info | |
| fail_ci_if_error: false | |
| verbose: true | |
| build: | |
| name: Build & Package | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup mise | |
| uses: jdx/mise-action@5ac50f778e26fac95da98d50503682459e86d566 # v3.2.0 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.4 | |
| with: | |
| path: ~/.pnpm-store | |
| key: ${{ needs.setup.outputs.cache-key }} | |
| restore-keys: | | |
| node-modules- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build TypeScript | |
| run: pnpm run build | |
| - name: Package action | |
| run: pnpm run package | |
| - name: Verify dist is up to date | |
| run: | | |
| if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then | |
| echo "::error::Detected uncommitted changes after build. Please run 'pnpm run build && pnpm run package' and commit the changes." | |
| echo "Changed files:" | |
| git diff --ignore-space-at-eol --text --name-only dist/ | |
| echo "Diff:" | |
| git diff --ignore-space-at-eol --text dist/ | |
| exit 1 | |
| fi | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@de65e23aa2b7e23d713bb51fbfcb6d502f8667d8 # v4.6.2 | |
| with: | |
| name: dist-${{ github.sha }} | |
| path: | | |
| dist/ | |
| coverage/ | |
| retention-days: 30 | |
| integration-test: | |
| name: Integration Test | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| pull-requests: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@abefc31eafcfbdf6c5336127c1346fdae79ff41c # v5.0.0 | |
| with: | |
| name: dist-${{ github.sha }} | |
| path: dist/ | |
| - name: Test action | |
| uses: ./ | |
| id: filter | |
| with: | |
| filters: | | |
| workflows: | |
| - '.github/workflows/**' | |
| src: | |
| - 'src/**' | |
| tests: | |
| - '__tests__/**' | |
| docs: | |
| - '*.md' | |
| - 'docs/**' | |
| - name: Display results | |
| run: | | |
| { | |
| echo "## Integration Test Results"; | |
| echo ""; | |
| echo "| Filter | Changed | Count | Files |"; | |
| echo "|--------|---------|-------|-------|"; | |
| echo "| Workflows | ${{ steps.filter.outputs.workflows }} | ${{ steps.filter.outputs.workflows_count }} | ${{ steps.filter.outputs.workflows_files }} |"; | |
| echo "| Source | ${{ steps.filter.outputs.src }} | ${{ steps.filter.outputs.src_count }} | - |"; | |
| echo "| Tests | ${{ steps.filter.outputs.tests }} | ${{ steps.filter.outputs.tests_count }} | - |"; | |
| echo "| Docs | ${{ steps.filter.outputs.docs }} | ${{ steps.filter.outputs.docs_count }} | - |"; | |
| echo "| Changes | ${{ steps.filter.outputs.changes }} | - | - |"; | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| all-checks: | |
| name: All Checks Passed | |
| runs-on: ubuntu-latest | |
| needs: [security-scan, license-compliance, typecheck, lint, test, build, integration-test] | |
| if: always() | |
| steps: | |
| - name: Check all jobs | |
| run: | | |
| if [[ "${{ needs.security-scan.result }}" != "success" || | |
| "${{ needs.license-compliance.result }}" != "success" || | |
| "${{ needs.typecheck.result }}" != "success" || | |
| "${{ needs.lint.result }}" != "success" || | |
| "${{ needs.test.result }}" != "success" || | |
| "${{ needs.build.result }}" != "success" || | |
| "${{ needs.integration-test.result }}" != "success" ]]; then | |
| echo "One or more jobs failed" | |
| exit 1 | |
| fi | |
| echo "All security and quality checks passed!" |