Synthetixio · drptbl · Nov 20, 2020 · Nov 20, 2020 · Nov 20, 2020 · Nov 20, 2020
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    target-branch: "dev"
+    allow:
+      - dependency-name: "synthetix-*"
+        dependency-type: "production"
+      - dependency-name: "@synthetixio/*"
+        dependency-type: "production"
+    labels:
+      - "npm"
+      - "dependencies"
+    pull-request-branch-name:
+      separator: "-"
diff --git a/.github/workflows/audit_lint_build.yml b/.github/workflows/audit_lint_build.yml
@@ -0,0 +1,81 @@
+name: Synthetix Exchange CI
+
+on:
+  push:
+  pull_request:
+    branches: [master, dev]
+
+jobs:
+  audit:
+    # run only on master/dev branch and pull requests
+    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+
+    container:
+      image: ghcr.io/synthetixio/docker-sec-tools/base:12.19
+      credentials:
+        username: synthetixio
+        password: ${{ secrets.GH_PACKAGES_READ_ONLY }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@ee5a9d1395988d7c82c67c69571871f5994b94df # pin@v2
+
+    - name: Audit dependencies
+      run: audit-ci --critical --report-type important
+
+    - name: Lockfile lint
+      run: lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+https:"
+
+  build:
+    needs: audit
+    # run only on audit success or audit skipped
+    if: always() && (needs.audit.result == 'success' || needs.audit.result == 'skipped')
+    runs-on: ubuntu-latest
+
+    container:
+      image: ghcr.io/synthetixio/docker-node/alpine:12.19
+      credentials:
+        username: synthetixio
+        password: ${{ secrets.GH_PACKAGES_READ_ONLY }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@ee5a9d1395988d7c82c67c69571871f5994b94df # pin@v2
+
+    - name: Cache node modules
+      uses: actions/cache@3b70782066bd817837b6bd8c518d45b54d91bf76 # pin@v2
+      with:
+        path: |
+          .npm
+          node_modules
+        key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-node-
+          ${{ runner.os }}-
+      continue-on-error: true
+
+    - name: Install dependencies
+      run: npm install --no-audit
+
+    - name: Lint
+      # run only on master/dev branch and pull requests
+      if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request'
+      run: npm run lint:sarif
+
+    - name: Upload lint results
+      # run if lint failed and only on master/dev branch and pull requests
+      if: always() && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request')
+      uses: github/codeql-action/upload-sarif@b1e2c9b8bd0550a90e66c967d9795316f9f21910 # pin@codeql-bundle-20201008
+      with:
+        sarif_file: lint-results.sarif
+      continue-on-error: true
+
+    - name: Build
+      run: npm run build
+
+    - name: Archive artifacts
+      if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/dev' || github.event_name == 'pull_request'
+      uses: actions/upload-artifact@726a6dcd0199f578459862705eed35cda05af50b # pin@v2
+      with:
+        path: build
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,38 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master, dev]
+    paths-ignore:
+    - node_modules
+  pull_request:
+    branches: [master, dev]
+    paths-ignore:
+    - node_modules
+  schedule:
+    - cron: '0 6 * * 3'
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@ee5a9d1395988d7c82c67c69571871f5994b94df # pin@v2
+        with:
+          fetch-depth: 2
+
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          queries: security-and-quality
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
diff --git a/.gitignore b/.gitignore
@@ -25,3 +25,5 @@ yarn-error.log*
 
 .yalc
 yalc.lock
+
+lint-results.sarif