Skip to content

Commit eaa193d

Browse files
setup(ci): update + clean (#507)
1 parent cd44309 commit eaa193d

7 files changed

Lines changed: 48 additions & 66 deletions

File tree

.github/workflows/code-quality.yml

Lines changed: 15 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ name: Code Quality
66

77
on:
88
push:
9-
branches: ["*"]
9+
branches: ["main"]
1010
paths:
1111
- "recipes/**/*.js"
1212
- "recipes/**/*.ts"
@@ -15,7 +15,7 @@ on:
1515
- "utils/**/*.ts"
1616
- "utils/package.json"
1717
- "package.json"
18-
- ".github/workflows/ci.yml"
18+
- ".github/workflows/code-quality.yml"
1919
pull_request:
2020
branches: ["*"]
2121
paths:
@@ -26,7 +26,7 @@ on:
2626
- "utils/**/*.ts"
2727
- "utils/**/package.json"
2828
- "package.json"
29-
- ".github/workflows/ci.yml"
29+
- ".github/workflows/code-quality.yml"
3030
types:
3131
- opened
3232
- ready_for_review
@@ -37,39 +37,16 @@ permissions:
3737
contents: read
3838

3939
jobs:
40-
get-matrix:
41-
name: Get Node + OS matrix
42-
runs-on: ubuntu-latest
43-
44-
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
45-
46-
outputs:
47-
latest: ${{ steps.set-matrix.outputs.requireds }}
48-
steps:
49-
- name: Harden the runner (Audit all outbound calls)
50-
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
51-
with:
52-
egress-policy: audit
53-
54-
- uses: ljharb/actions/node/matrix@7f214d8efdbdcefc96ad9689663ef387a195deec # main
55-
id: set-matrix
56-
with:
57-
versionsAsRoot: true
58-
type: majors
59-
preset: ">= 22" # glob is not backported below 22.x
60-
6140
lint-and-types:
6241
name: Lint & types
6342
runs-on: ubuntu-slim
64-
6543
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
6644

6745
steps:
68-
# FIXME https://github.com/step-security/harden-runner/issues/627
69-
# - name: Harden the runner (Audit all outbound calls)
70-
# uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
71-
# with:
72-
# egress-policy: audit
46+
- name: Harden the runner (Audit all outbound calls)
47+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
48+
with:
49+
egress-policy: audit
7350

7451
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
7552
with:
@@ -83,20 +60,19 @@ jobs:
8360
test:
8461
name: Before/After tests
8562
runs-on: ${{ matrix.os }}
86-
8763
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
8864

8965
strategy:
9066
fail-fast: false
9167
matrix:
9268
os:
9369
- macos-latest
94-
- ubuntu-latest
70+
- ubuntu-slim
9571
- windows-latest
9672

9773
steps:
9874
- name: Harden the runner (Audit all outbound calls)
99-
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
75+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
10076
with:
10177
egress-policy: audit
10278

@@ -106,7 +82,9 @@ jobs:
10682
persist-credentials: false
10783
show-progress: false
10884

85+
# ubuntu-slim already include lts node so we don't need to setup node on ubuntu-slim runner
10986
- name: Set up Node.js
87+
if: ${{ matrix.os != 'ubuntu-slim' }}
11088
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
11189
with:
11290
cache: "npm"
@@ -118,7 +96,7 @@ jobs:
11896
- name: Run tests related to changes
11997
shell: bash
12098
run: >
121-
changed_paths=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }})
99+
changed_paths=$(git diff --name-only ${{ github.event.pull_request.base.sha || github.event.before }} ${{ github.sha }})
122100
123101
# run everything?
124102
if echo "$changed_paths" | grep -qE '^(package\.json|\.github/workflows/ci\.yml|utils/)$'; then
@@ -129,8 +107,8 @@ jobs:
129107
# run for specific workspace(s)
130108
npm run test $(
131109
echo "$changed_paths" \
132-
| grep '^recipes/'
133-
| cut -d/ -f1,2
134-
| sort -u
110+
| grep '^recipes/' \
111+
| cut -d/ -f1,2 \
112+
| sort -u \
135113
| sed 's/^/--workspace=/'
136114
)

.github/workflows/codemod_publish.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,16 @@ jobs:
3232

3333
steps:
3434
- name: Harden Runner
35-
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
35+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
3636
with:
37-
egress-policy: audit
37+
egress-policy: block
38+
allowed-endpoints: >
39+
api.github.com:443
40+
app.codemod.com:443
41+
github.com:443
42+
registry.npmjs.org:443
43+
release-assets.githubusercontent.com:443
44+
us.i.posthog.com:443
3845
3946
- name: Checkout repository
4047
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

.github/workflows/dir-organisation.yml

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
22

3+
# For more information see: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow
4+
35
name: Code Quality
46

57
on:
@@ -18,20 +20,17 @@ permissions:
1820
pull-requests: read
1921

2022
jobs:
21-
2223
forbid-junkdrawer-tests:
2324
name: Test organisation
24-
2525
runs-on: ubuntu-slim
2626

2727
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
2828

2929
steps:
30-
# FIXME https://github.com/step-security/harden-runner/issues/627
31-
# - name: Harden the runner (Audit all outbound calls)
32-
# uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
33-
# with:
34-
# egress-policy: audit
30+
- name: Harden the runner (Audit all outbound calls)
31+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
32+
with:
33+
egress-policy: audit
3534

3635
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3736
with:

.github/workflows/lint-workflows.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ name: Workflow Quality
66

77
on:
88
push:
9-
branches: ["*"]
9+
branches: ["main"]
1010
paths:
1111
- ".github/workflows/*.yml"
1212
- "recipes/*/*.yml"
@@ -25,20 +25,22 @@ permissions:
2525
contents: read
2626

2727
jobs:
28-
2928
validate-yaml:
3029
name: Validate YAML files
30+
runs-on: ubuntu-slim
3131

3232
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
3333

34-
runs-on: ubuntu-latest
35-
3634
steps:
3735
- name: Harden the runner (Audit all outbound calls)
38-
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
36+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
3937
with:
4038
egress-policy: audit
4139

4240
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
41+
42+
- name: Install yamllint
43+
run: pip install yamllint
44+
4345
- name: Validate YAML files
4446
run: yamllint -c .yamllint.yaml -f github ./

.github/workflows/pr.yml

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ name: PR Quality
44

55
on:
66
pull_request:
7-
branches:
8-
- main
7+
branches: ["main"]
98
types:
109
- edited
1110
- opened
@@ -23,11 +22,10 @@ jobs:
2322
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
2423

2524
steps:
26-
# FIXME https://github.com/step-security/harden-runner/issues/627
27-
# - name: Harden Runner
28-
# uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
29-
# with:
30-
# egress-policy: audit
25+
- name: Harden the runner (Audit all outbound calls)
26+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
27+
with:
28+
egress-policy: audit
3129

3230
- name: Checkout
3331
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

.github/workflows/workflow-tests.yml

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ name: Workflow Quality
66

77
on:
88
push:
9-
branches: ["*"]
9+
branches: ["main"]
1010
paths:
1111
- ".github/workflows/*.yml"
1212
- ".github/scripts/*"
@@ -25,19 +25,17 @@ permissions:
2525
contents: read
2626

2727
jobs:
28-
2928
run-workflow-script-tests:
3029
name: Test scripts
3130
runs-on: ubuntu-slim
3231

3332
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }}
3433

3534
steps:
36-
# FIXME https://github.com/step-security/harden-runner/issues/627
37-
# - name: Harden the runner (Audit all outbound calls)
38-
# uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
39-
# with:
40-
# egress-policy: audit
35+
- name: Harden the runner (Audit all outbound calls)
36+
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
37+
with:
38+
egress-policy: audit
4139

4240
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4341
with:

.nvmrc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
24
1+
lts/*

0 commit comments

Comments
 (0)