Merge pull request #3228 from defencedigital/ci/handle-forks

ci(GHA): Improve handling of PRs from forks
Royal-Navy · Apr 13, 2022 · 4728697 · 4728697
2 parents 6459d91 + 6bd055c
commit 4728697
Show file tree

Hide file tree

Showing 12 changed files with 290 additions and 185 deletions.
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
diff --git a/.github/workflows/branch_deploy.yml b/.github/workflows/branch_deploy.yml
@@ -13,42 +13,42 @@ jobs:
     env:
       PREVIEW_URL: https://deploy-preview--infallible-goldstine-0b7659.netlify.app
     steps:
-    - name: Git clone repository
-      uses: actions/checkout@v2
-
-    - name:  Fetch all commits
-      run: git fetch --all
-
-    - name: Remove deploy preview branch if it exists
-      run: |
-        result=$((git branch --all) 2>&1)
-        if [[  `echo $result` == *"deploy/preview"* ]];
-          then
-            git push origin --delete deploy/preview;
-          else
-            echo "deploy/preview branch does not exist";
-        fi
-
-    - name: Checkout preview branch
-      run: |
-        git checkout ${{ github.event.inputs.preview_branch }}
-        git fetch
-        git checkout -b deploy/preview
-        git fetch
-
-    - name: Merge into deploy/preview branch
-      run: |
-        git merge ${{ github.event.inputs.preview_branch }}
-
-    - name: Push deploy_preview branch
-      run: |
-        git push origin deploy/preview
-
-    - name: Deploy preview branch
-      run: |
-        curl -X POST -d {} ${{ secrets.BRANCH_DEPLOY_TOKEN }}
-
-    - name: Check deployment
-      run: |
-        timeout 900 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' ${PREVIEW_URL})" != "200" ]]; do sleep 30; done' || false
-        echo "The branch is deployed & ready to preview - ${PREVIEW_URL}"
+      - name: Git clone repository
+        uses: actions/checkout@v3
+
+      - name: Fetch all commits
+        run: git fetch --all
+
+      - name: Remove deploy preview branch if it exists
+        run: |
+          result=$((git branch --all) 2>&1)
+          if [[  `echo $result` == *"deploy/preview"* ]];
+            then
+              git push origin --delete deploy/preview;
+            else
+              echo "deploy/preview branch does not exist";
+          fi
+
+      - name: Checkout preview branch
+        run: |
+          git checkout ${{ github.event.inputs.preview_branch }}
+          git fetch
+          git checkout -b deploy/preview
+          git fetch
+
+      - name: Merge into deploy/preview branch
+        run: |
+          git merge ${{ github.event.inputs.preview_branch }}
+
+      - name: Push deploy_preview branch
+        run: |
+          git push origin deploy/preview
+
+      - name: Deploy preview branch
+        run: |
+          curl -X POST -d {} ${{ secrets.BRANCH_DEPLOY_TOKEN }}
+
+      - name: Check deployment
+        run: |
+          timeout 900 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' ${PREVIEW_URL})" != "200" ]]; do sleep 30; done' || false
+          echo "The branch is deployed & ready to preview - ${PREVIEW_URL}"
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -12,16 +12,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Cache Cypress binary
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/.cache/Cypress
           key: cypress-${{ runner.os }}-cypress-${{ hashFiles('**/yarn.lock') }}
@@ -43,7 +43,7 @@ jobs:
           tar -czvf dist.tar.gz distil distdt
 
       - name: Persist artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: dist
           path: ./dist.tar.gz
@@ -52,7 +52,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Run audit
         run: yarn run audit
@@ -63,13 +63,13 @@ jobs:
     if: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: check commits
         run: |
@@ -80,13 +80,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Get dependencies & run lint
         run: |
@@ -98,16 +98,16 @@ jobs:
     needs: [Build_icon_library, Lint_react-component-library]
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Attach workspace
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: dist
 
@@ -121,7 +121,7 @@ jobs:
 
       - name: SonarCloud Scan
         uses: defencedigital/design-system-sonarcloud-action@master
-        if: ${{ github.actor != 'dependabot[bot]' }}
+        if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -134,24 +134,24 @@ jobs:
         browser: ['chrome', 'firefox']
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Cache Cypress binary
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/.cache/Cypress
           key: cypress-${{ runner.os }}-cypress-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             cypress-${{ runner.os }}-cypress-
 
       - name: Attach workspace
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: dist
 
@@ -183,16 +183,16 @@ jobs:
     needs: [Build_icon_library, Lint_react-component-library]
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Attach workspace
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: dist
 
@@ -206,42 +206,54 @@ jobs:
     needs: [Build_icon_library]
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Jest design-tokens
         run: |
           yarn --cwd packages/design-tokens build
           yarn --cwd packages/design-tokens test
 
-  Test_visual_regression:
+  # See post_built_and_test.yml for details about how this is used
+  Build_storybook:
     runs-on: ubuntu-latest
-    needs: [Build_icon_library, Test_react-component-library]
-    # https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
-    if: ${{ github.actor != 'dependabot[bot]' }}
+    needs: [Build_icon_library]
     steps:
       - name: Git clone repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: Cache Node modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
 
       - name: Attach workspace
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: dist
 
-      - name: Run visual regression tests
+      - name: Build Storybook
+        env:
+          CHROMATIC_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+          CHROMATIC_BRANCH: ${{ github.head_ref || github.ref_name }}
+          CHROMATIC_SLUG: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
         run: |
           tar -xzf dist.tar.gz && mv distil packages/icon-library/dist && mv distdt packages/design-tokens/dist
-          yarn --cwd packages/react-component-library chromatic --project-token=${{secrets.CHROMATIC_TOKEN}} --ci
+          yarn --cwd packages/react-component-library storybook:static
+          echo "$CHROMATIC_SHA" > packages/react-component-library/.static_storybook/sha
+          echo "$CHROMATIC_BRANCH" > packages/react-component-library/.static_storybook/branch
+          echo "$CHROMATIC_SLUG" > packages/react-component-library/.static_storybook/slug
+
+      - name: Upload Storybook artefact
+        uses: actions/upload-artifact@v3
+        with:
+          name: storybook-static
+          path: packages/react-component-library/.static_storybook
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,38 @@
+name: 'CodeQL security scan'
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    - cron: '16 9 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['typescript']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v2