chore: Lock the versions of GitHub Actions used in workflows to SHA hashes, other security improvements #1052
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| permissions: read-all | |
| name: test | |
| on: | |
| push: | |
| branches: | |
| - "*" | |
| pull_request: | |
| branches: | |
| - "*" | |
| schedule: | |
| - cron: "0 0 * * 5" | |
| jobs: | |
| rubocop: | |
| name: RuboCop | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 | |
| with: | |
| ruby-version: ruby | |
| bundler-cache: true | |
| - name: Run RuboCop | |
| run: bundle exec rubocop | |
| test: | |
| name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.gemfile }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - ubuntu-latest | |
| ruby: | |
| - "2.5" | |
| - "2.6" | |
| - "2.7" | |
| - "3.0" | |
| - "3.1" | |
| - "3.2" | |
| - "3.3" | |
| - "3.4" | |
| - "4.0" | |
| gemfile: | |
| - gemfiles/standalone.gemfile | |
| experimental: [false] | |
| include: | |
| - os: ubuntu-latest | |
| ruby: "2.5" | |
| gemfile: gemfiles/openssl.gemfile | |
| experimental: false | |
| - os: ubuntu-latest | |
| ruby: "truffleruby-head" | |
| gemfile: "gemfiles/standalone.gemfile" | |
| experimental: true | |
| - os: ubuntu-latest | |
| ruby: head | |
| gemfile: gemfiles/standalone.gemfile | |
| experimental: true | |
| continue-on-error: ${{ matrix.experimental }} | |
| env: | |
| BUNDLE_GEMFILE: ${{ matrix.gemfile }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 | |
| with: | |
| ruby-version: ${{ matrix.ruby }} | |
| bundler-cache: true | |
| - name: Run tests | |
| run: bundle exec rspec | |
| - name: Sanitize gemfile path | |
| run: echo "SANITIZED_GEMFILE=${{ matrix.gemfile }}" | tr '/' '-' >> $GITHUB_ENV | |
| - name: Upload test coverage folder for later reporting | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: coverage-${{ matrix.os }}-${{ matrix.ruby }}-${{ env.SANITIZED_GEMFILE }} | |
| path: coverage/*.json | |
| retention-days: 1 | |
| coverage: | |
| name: Report coverage to Qlty | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: success() | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Download coverage reports from the test job | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| - uses: qltysh/qlty-action/coverage@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0 | |
| with: | |
| token: ${{ secrets.QLTY_COVERAGE_TOKEN }} | |
| files: coverage-*/*.json | |
| smoke: | |
| name: Built GEM smoke test | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 | |
| with: | |
| ruby-version: ruby | |
| - name: Build GEM | |
| run: gem build | |
| - name: Install built GEM | |
| run: gem install jwt-*.gem | |
| - name: Run test | |
| run: bin/smoke.rb |