Add workflows

myrotvorets · Feb 25, 2024 · b4e9b99 · b4e9b99
1 parent 993b9bd
commit b4e9b99
Show file tree

Hide file tree

Showing 12 changed files with 1,039 additions and 2,111 deletions.
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,10 @@
+name: CodeQL Config
+
+paths:
+  - lib
+
+paths-ignore:
+  - node_modules
+
+queries:
+  - uses: security-and-quality
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,6 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "local>myrotvorets/.github:renovate-config"
+    ]
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,45 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Build and Test
+
+on:
+  push:
+    branches:
+      - "**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build and test (Node ${{ matrix.node.name }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node:
+          - { name: Current,      version: current }
+          - { name: LTS,          version: lts/* }
+          - { name: Previous LTS, version: lts/-1 }
+    steps:
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@master
+        with:
+          node-version: ${{ matrix.node.version }}
+
+  lint:
+    name: Check Code Style
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run code style check
+        uses: myrotvorets/composite-actions/node-run-script@master
+        with:
+          script: lint
+
+  typecheck:
+    name: Check Types
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run type check
+        uses: myrotvorets/composite-actions/node-run-script@master
+        with:
+          script: typecheck
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,43 @@
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "lib/**.ts"
+      - ".github/workflows/codeql-analysis.yml"
+  schedule:
+    - cron: '24 2 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Static Code Analysis with CodeQL
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,26 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    name: Review Dependencies
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
+      - name: Check out the source code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Review dependencies
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -0,0 +1,57 @@
+name: Publish Package
+
+on:
+  release:
+    types:
+      - released
+  workflow_dispatch:
+    inputs:
+      npm:
+        default: "yes"
+        description: Publish to NPM?
+        required: true
+      gpr:
+        default: "yes"
+        description: Publish to GPR?
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  prepare:
+    name: Prepare source code
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes'
+    steps:
+      - name: Prepare source
+        uses: myrotvorets/composite-actions/node-prepublish@master
+
+  publish:
+    name: Publish package (${{ matrix.registry }})
+    runs-on: ubuntu-latest
+    needs: prepare
+    permissions:
+      contents: read
+      packages: write
+      statuses: write
+      id-token: write
+    strategy:
+      matrix:
+        registry:
+          - npm
+          - gpr
+        include:
+          - registry: npm
+            secret: NPM_TOKEN
+            registry_url: https://registry.npmjs.org/
+          - registry: gpr
+            secret: GITHUB_TOKEN
+            registry_url: https://npm.pkg.github.com/
+    steps:
+      - name: Publish package
+        uses: myrotvorets/composite-actions/node-publish@master
+        with:
+          node-auth-token: ${{ secrets[matrix.secret] }}
+          registry-url: ${{ matrix.registry_url }}
+        if: github.event.inputs[matrix.registry] == 'yes' || github.event_name == 'release'
diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml
@@ -0,0 +1,22 @@
+name: Package Audit
+
+on:
+  push:
+    branches:
+      - '**'
+    paths:
+      - package.json
+      - package-lock.json
+      - .github/workflows/package-audit.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit-npm:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Audit with NPM
+        uses: myrotvorets/composite-actions/node-package-audit@master
diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -0,0 +1,34 @@
+name: Pre-release Testing
+
+on:
+  push:
+    tags:
+      - "**"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build and test
+        uses: myrotvorets/composite-actions/build-test-nodejs@master
+
+  release:
+    name: Prepare the release
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Create a release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        with:
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.REPOSITORY_ACCESS_TOKEN }}
diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml
@@ -0,0 +1,28 @@
+name: SonarCloud Analysis
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: SonarCloud Scan
+    runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' ||
+      github.event_name == 'push'
+    steps:
+      - name: Run SonarCloud analysis
+        uses: myrotvorets/composite-actions/node-sonarscan@master
+        with:
+          sonar-token: ${{ secrets.SONAR_TOKEN }}
+          test-script: 'test:coverage'