fix: override dependencies for vulnerabilities #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://help.github.com/en/categories/automating-your-workflow-with-github-actions | |
# See: https://github.com/JulianCataldo/gh-actions | |
# For matrix setup: | |
# https://github.com/withastro/astro/blob/main/.github/workflows/ci.yml | |
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow | |
name: CI / Release | |
on: | |
workflow_dispatch: | |
push: | |
paths-ignore: | |
- .github/** | |
- '!.github/workflows/release.yaml' | |
- '**/*.md' | |
branches: | |
- '([0-9])?(.{+([0-9]),x}).x' | |
- main | |
- next | |
- next-major | |
- alpha | |
- beta | |
- 'feat/*' | |
- 'fix/*' | |
# - to-integrate | |
# - to-integrate-next | |
permissions: | |
contents: read # for checkout | |
jobs: | |
release: | |
name: CI / Release | |
permissions: | |
contents: write # to be able to publish a GitHub release | |
issues: write # to be able to comment on released issues | |
pull-requests: write # to be able to comment on released pull requests | |
id-token: write # to enable use of OIDC for npm provenance | |
runs-on: ubuntu-latest | |
# TODO: | |
# runs-on: ${{ matrix.os }} | |
# timeout-minutes: 25 | |
# # needs: build | |
# strategy: | |
# matrix: | |
# OS: [ubuntu-latest] | |
# NODE_VERSION: [18, 20] | |
# include: | |
# - os: macos-14 | |
# NODE_VERSION: 18 | |
# - os: windows-latest | |
# NODE_VERSION: 18 | |
# fail-fast: false | |
# env: | |
# NODE_VERSION: ${{ matrix.NODE_VERSION }} | |
steps: | |
# MARK: Setup GH Action | |
- name: 'Harden Runner' | |
uses: 'step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142' # v2.7.0 | |
with: | |
egress-policy: 'audit' | |
- name: Git checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 | |
# run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* | |
with: | |
fetch-depth: 0 | |
# - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* | |
# persist-credentials: false | |
# env: | |
# GIT_COMMITTER_NAME: "GitHub Actions Shell" | |
# GIT_AUTHOR_NAME: "GitHub Actions Shell" | |
# EMAIL: "github-actions[bot]@users.noreply.github.com" | |
# MARK: Setup Node env. | |
- name: Setup PNPM | |
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 | |
with: | |
run_install: false | |
- name: Use Node.js 22.2.0 | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
# registry-url: "https://registry.npmjs.org" | |
node-version: 22.2.0 | |
cache: pnpm | |
- name: Install packages | |
shell: bash | |
run: pnpm install --frozen-lockfile | |
# TODO: More tests | |
# - name: Syncpack Lint | |
# shell: bash | |
# run: node --run syncpack:lint | |
# NOTE: Audit is for prod only because a lot of root packages (like lerna etc.) | |
# are used old packages with intricate dependency trees, and they are | |
# never shipped to the user. But that's not 100% optimal, as devDeps could | |
# provoke some sec issues, too? A middleground is better than nothing and | |
# regularly blocked releases for obscure root mono-repo tooling deps. | |
- name: 'Verify the integrity of provenance attestations and registry signatures for installed [prod] dependencies' | |
run: 'node --run audit' | |
# MARK: Lint/Checks pre-build | |
- name: Lint last commit — Commitlint | |
shell: bash | |
run: node --run lint:commit | |
# - name: Lint CSS — Stylelint | |
# shell: bash | |
# run: node --run lint:css | |
- name: Check all formatting — Prettier | |
shell: bash | |
run: node --run format | |
# MARK: Build packages | |
- name: Setup Turbo cache | |
uses: dtinth/setup-github-actions-caching-for-turbo@a0e976d970c2a94366a26984efcef3030e2c0115 # v1.2.0 | |
- name: Build all packages | |
shell: bash | |
run: node --run build | |
# MARK: Lint/Checks post-build | |
- name: Lint JS/TS — ESLint | |
shell: bash | |
run: node --run lint:es | |
# MARK:Tests | |
- name: Tests — Units | |
shell: bash | |
run: node --run test:unit | |
- name: Tests — Integration | |
shell: bash | |
run: node --run test:integration | |
# MARK: Publish packages | |
- name: Create temporary NPM identity # + Enable Provenance | |
env: | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
# run: | | |
# echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN\nprovenance=true" > .npmrc | |
# echo "provenance=true" > .npmrc | |
run: | | |
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc | |
- name: Git user configuration | |
run: | | |
git config --global user.name "${{ github.actor }}" | |
git config --global user.email "${{ github.actor }}@users.noreply.github.com" | |
# MARK: [MAIN] | |
- name: 'Lerna publish [main]' | |
# if: github.ref == 'refs/heads/to-integrate' | |
if: github.ref == 'refs/heads/main' | |
# https://github.com/lerna/lerna/issues/2532 | |
id: graduateRelease | |
continue-on-error: true | |
env: | |
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global) | |
run: | | |
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --conventional-graduate --yes | |
- name: Bump Prod Version Fallback | |
if: ${{ always() && steps.graduateRelease.outcome == 'failure' }} | |
env: | |
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' | |
run: | | |
echo Falling back to non-graduate release due to https://github.com/lerna/lerna/issues/2532 | |
git stash | |
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --yes | |
# # TRY: https://www.jessesquires.com/blog/2021/10/17/github-actions-workflows-for-automatic-rebasing-and-merging/ | |
# - name: Merge (rebase) back main into next | |
# env: | |
# GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
# run: | | |
# git checkout next | |
# git rebase main | |
# git push | |
# MARK: [NEXT] | |
- name: 'Lerna publish [next]' | |
if: github.ref == 'refs/heads/next' | |
# if: github.ref == 'refs/heads/to-integrate-next' | |
env: | |
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global) | |
# --canary next | |
# https://github.com/lerna/lerna/issues/1433 | |
# pnpm lerna publish --conventional-prerelease --dist-tag=next --preid=next --no-changelog --yes | |
# pnpm lerna publish --conventional-prerelease --pre-dist-tag=next --preid=next --yes | |
# pnpm lerna publish --force-publish='*' --canary --pre-dist-tag=next --preid=next --yes | |
run: | | |
pnpm lerna publish --message 'chore: publish [next] pre-release' --conventional-prerelease --pre-dist-tag=next --preid=next --yes |