Skip to content

fix: override dependencies for vulnerabilities #101

fix: override dependencies for vulnerabilities

fix: override dependencies for vulnerabilities #101

Workflow file for this run

# https://help.github.com/en/categories/automating-your-workflow-with-github-actions
# See: https://github.com/JulianCataldo/gh-actions
# For matrix setup:
# https://github.com/withastro/astro/blob/main/.github/workflows/ci.yml
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow
name: CI / Release
on:
workflow_dispatch:
push:
paths-ignore:
- .github/**
- '!.github/workflows/release.yaml'
- '**/*.md'
branches:
- '([0-9])?(.{+([0-9]),x}).x'
- main
- next
- next-major
- alpha
- beta
- 'feat/*'
- 'fix/*'
# - to-integrate
# - to-integrate-next
permissions:
contents: read # for checkout
jobs:
release:
name: CI / Release
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # to enable use of OIDC for npm provenance
runs-on: ubuntu-latest
# TODO:
# runs-on: ${{ matrix.os }}
# timeout-minutes: 25
# # needs: build
# strategy:
# matrix:
# OS: [ubuntu-latest]
# NODE_VERSION: [18, 20]
# include:
# - os: macos-14
# NODE_VERSION: 18
# - os: windows-latest
# NODE_VERSION: 18
# fail-fast: false
# env:
# NODE_VERSION: ${{ matrix.NODE_VERSION }}
steps:
# MARK: Setup GH Action
- name: 'Harden Runner'
uses: 'step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142' # v2.7.0
with:
egress-policy: 'audit'
- name: Git checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
# run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
with:
fetch-depth: 0
# - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
# persist-credentials: false
# env:
# GIT_COMMITTER_NAME: "GitHub Actions Shell"
# GIT_AUTHOR_NAME: "GitHub Actions Shell"
# EMAIL: "github-actions[bot]@users.noreply.github.com"
# MARK: Setup Node env.
- name: Setup PNPM
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
run_install: false
- name: Use Node.js 22.2.0
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
# registry-url: "https://registry.npmjs.org"
node-version: 22.2.0
cache: pnpm
- name: Install packages
shell: bash
run: pnpm install --frozen-lockfile
# TODO: More tests
# - name: Syncpack Lint
# shell: bash
# run: node --run syncpack:lint
# NOTE: Audit is for prod only because a lot of root packages (like lerna etc.)
# are used old packages with intricate dependency trees, and they are
# never shipped to the user. But that's not 100% optimal, as devDeps could
# provoke some sec issues, too? A middleground is better than nothing and
# regularly blocked releases for obscure root mono-repo tooling deps.
- name: 'Verify the integrity of provenance attestations and registry signatures for installed [prod] dependencies'
run: 'node --run audit'
# MARK: Lint/Checks pre-build
- name: Lint last commit — Commitlint
shell: bash
run: node --run lint:commit
# - name: Lint CSS — Stylelint
# shell: bash
# run: node --run lint:css
- name: Check all formatting — Prettier
shell: bash
run: node --run format
# MARK: Build packages
- name: Setup Turbo cache
uses: dtinth/setup-github-actions-caching-for-turbo@a0e976d970c2a94366a26984efcef3030e2c0115 # v1.2.0
- name: Build all packages
shell: bash
run: node --run build
# MARK: Lint/Checks post-build
- name: Lint JS/TS — ESLint
shell: bash
run: node --run lint:es
# MARK:Tests
- name: Tests — Units
shell: bash
run: node --run test:unit
- name: Tests — Integration
shell: bash
run: node --run test:integration
# MARK: Publish packages
- name: Create temporary NPM identity # + Enable Provenance
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
# run: |
# echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN\nprovenance=true" > .npmrc
# echo "provenance=true" > .npmrc
run: |
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
- name: Git user configuration
run: |
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
# MARK: [MAIN]
- name: 'Lerna publish [main]'
# if: github.ref == 'refs/heads/to-integrate'
if: github.ref == 'refs/heads/main'
# https://github.com/lerna/lerna/issues/2532
id: graduateRelease
continue-on-error: true
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
run: |
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --conventional-graduate --yes
- name: Bump Prod Version Fallback
if: ${{ always() && steps.graduateRelease.outcome == 'failure' }}
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}'
run: |
echo Falling back to non-graduate release due to https://github.com/lerna/lerna/issues/2532
git stash
pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --yes
# # TRY: https://www.jessesquires.com/blog/2021/10/17/github-actions-workflows-for-automatic-rebasing-and-merging/
# - name: Merge (rebase) back main into next
# env:
# GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
# run: |
# git checkout next
# git rebase main
# git push
# MARK: [NEXT]
- name: 'Lerna publish [next]'
if: github.ref == 'refs/heads/next'
# if: github.ref == 'refs/heads/to-integrate-next'
env:
NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
# --canary next
# https://github.com/lerna/lerna/issues/1433
# pnpm lerna publish --conventional-prerelease --dist-tag=next --preid=next --no-changelog --yes
# pnpm lerna publish --conventional-prerelease --pre-dist-tag=next --preid=next --yes
# pnpm lerna publish --force-publish='*' --canary --pre-dist-tag=next --preid=next --yes
run: |
pnpm lerna publish --message 'chore: publish [next] pre-release' --conventional-prerelease --pre-dist-tag=next --preid=next --yes