Skip to content

chore(deps): Bump the github-actions group across 1 directory with 5 … #1728

chore(deps): Bump the github-actions group across 1 directory with 5 …

chore(deps): Bump the github-actions group across 1 directory with 5 … #1728

Workflow file for this run

name: CI
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions: {}
jobs:
build:
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
fail-fast: false
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Configure Git line endings
if: runner.os == 'Windows'
run: git config --global core.autocrlf false
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
cache: 'npm'
cache-dependency-path: package-lock.json
# Install at root level for npm workspaces
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint
working-directory: extensions/git-id-switcher
- name: Compile
run: npm run compile
working-directory: extensions/git-id-switcher
- name: Run tests with coverage
run: npm run test:coverage
working-directory: extensions/git-id-switcher
- name: Upload coverage to Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
with:
directory: extensions/git-id-switcher/coverage
fail_ci_if_error: false
- name: Package
run: npm run package
working-directory: extensions/git-id-switcher
- name: Verify VSIX created
shell: bash
run: ls -la extensions/git-id-switcher/*.vsix
- name: Verify package.json URLs (anti-impersonation)
shell: bash
run: |
cd extensions/git-id-switcher
REPO_URL=$(node -e "console.log(require('./package.json').repository.url)")
HOMEPAGE=$(node -e "console.log(require('./package.json').homepage)")
EXPECTED_REPO="https://github.com/nullvariant/nullvariant-vscode-extensions"
EXPECTED_HOME_PREFIX="https://github.com/nullvariant/nullvariant-vscode-extensions"
if [ "$REPO_URL" != "$EXPECTED_REPO" ]; then
echo "::error::repository.url mismatch: expected '$EXPECTED_REPO', got '$REPO_URL'"
exit 1
fi
if [[ "$HOMEPAGE" != "$EXPECTED_HOME_PREFIX"* ]]; then
echo "::error::homepage does not start with '$EXPECTED_HOME_PREFIX': got '$HOMEPAGE'"
exit 1
fi
echo "package.json URLs verified"
e2e:
name: E2E Tests (${{ matrix.os }})
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
fail-fast: false
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Configure Git line endings
if: runner.os == 'Windows'
run: git config --global core.autocrlf false
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
cache: 'npm'
cache-dependency-path: package-lock.json
# Install at root level for npm workspaces
- name: Install dependencies
run: npm ci
- name: Run E2E tests (Linux)
if: runner.os == 'Linux'
run: xvfb-run -a npm run test:e2e
working-directory: extensions/git-id-switcher
- name: Run E2E tests (Windows/macOS)
if: runner.os != 'Linux'
run: npm run test:e2e
working-directory: extensions/git-id-switcher
vex-dependency-review:
name: VEX Dependency Review
runs-on: ubuntu-latest
# Only run on dependency update PRs (Dependabot or Renovate)
if: >
github.event_name == 'pull_request' &&
(github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]')
permissions:
contents: read
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
- name: Check for production dependency changes
id: check
run: |
BASE_REF="${{ github.event.pull_request.base.sha }}"
HEAD_REF="${{ github.event.pull_request.head.sha }}"
# Get production dependency count from base and head
BASE_DEPS=$(git show "${BASE_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies // {} | keys | length')
HEAD_DEPS=$(git show "${HEAD_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies // {} | keys | length')
echo "Base production deps: $BASE_DEPS"
echo "Head production deps: $HEAD_DEPS"
if [ "$HEAD_DEPS" != "0" ]; then
echo "has_prod_deps=true" >> "$GITHUB_OUTPUT"
NEW_DEPS=$(git show "${HEAD_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies | keys[]')
echo "prod_deps<<DEPSEOF" >> "$GITHUB_OUTPUT"
echo "$NEW_DEPS" >> "$GITHUB_OUTPUT"
echo "DEPSEOF" >> "$GITHUB_OUTPUT"
echo "::error::Production dependencies detected. VEX must be manually reviewed."
else
echo "has_prod_deps=false" >> "$GITHUB_OUTPUT"
fi
- name: Post VEX assessment (devDependencies only)
if: steps.check.outputs.has_prod_deps == 'false'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Prevent duplicate comments on force-pushed PRs
EXISTING=$(gh pr view "${{ github.event.pull_request.number }}" --json comments \
--jq '.comments[] | select(.body | contains("VEX Assessment")) | .id' | head -1)
if [ -n "$EXISTING" ]; then
echo "VEX assessment comment already exists. Skipping."
exit 0
fi
gh pr comment "${{ github.event.pull_request.number }}" --body "$(cat <<'COMMENTEOF'
### VEX Assessment: `not_affected`
This dependency update modifies **devDependencies only**.
- **Status**: `not_affected`
- **Justification**: `vulnerable_code_not_in_execute_path`
- **Impact**: Zero production dependencies. No third-party code is included in the published VSIX.
Any CVEs in updated devDependencies do not affect end users. The VEX document will be automatically updated by the weekly [VEX Auto-Update](.github/workflows/vex-update.yml) workflow.
🤖 Automated VEX assessment
COMMENTEOF
)"
- name: Warn about production dependencies
if: steps.check.outputs.has_prod_deps == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Prevent duplicate comments on force-pushed PRs
EXISTING=$(gh pr view "${{ github.event.pull_request.number }}" --json comments \
--jq '.comments[] | select(.body | contains("VEX Assessment")) | .id' | head -1)
if [ -n "$EXISTING" ]; then
echo "VEX assessment comment already exists. Skipping."
else
DEPS="${{ steps.check.outputs.prod_deps }}"
gh pr comment "${{ github.event.pull_request.number }}" --body "$(cat <<COMMENTEOF
### ⚠️ VEX Assessment: Manual Review Required
This PR adds **production dependencies**:
\`\`\`
$DEPS
\`\`\`
Production dependencies are bundled into the published VSIX and may affect end users.
The current VEX blanket statement (\`not_affected\` for all CVEs) **no longer applies**.
**Action required:**
1. Review whether production dependencies are truly necessary
2. Update \`.vex/vex.json\` to reflect the new risk assessment
3. Consider the impact on supply chain security
🤖 Automated VEX assessment
COMMENTEOF
)"
fi
# Always fail when production dependencies are detected
exit 1
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
# Only run on pull requests (requires base/head comparison)
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
config-file: './.github/dependency-review-config.yml'
comment-summary-in-pr: always