From c13cd1b8e7f49c3df05f0cab96b73b8614a9c0c7 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Fri, 1 Dec 2023 16:09:16 -0800 Subject: [PATCH] chore: cleanup ci jobs, add actionlint check Signed-off-by: Sam Gammon --- .github/workflows/check-dist.yml | 11 +---- .github/workflows/codeql-analysis.yml | 16 +++---- .github/workflows/dependency-review.yml | 17 ++----- .github/workflows/linter.action.yml | 19 ++++++++ .../workflows/{linter.yml => linter.code.yml} | 10 ++--- .github/workflows/scorecards.yml | 44 ++++--------------- 6 files changed, 42 insertions(+), 75 deletions(-) create mode 100644 .github/workflows/linter.action.yml rename .github/workflows/{linter.yml => linter.code.yml} (93%) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index 661f84d..5e1e287 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -1,4 +1,4 @@ -name: Check Dist +name: "Check: Distribution" on: workflow_dispatch: {} @@ -17,34 +17,28 @@ jobs: statuses: write steps: - - name: Harden Runner + - name: "Setup: Harden Runner" uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - name: "Setup: Checkout" id: checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - name: "Setup: PNPM" uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0 with: version: 8.9.0 - - name: "Setup: Node" uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 20 cache: pnpm - - name: "Setup: Install Dependencies" id: install run: pnpm install && pnpm install -g turbo - - name: "Build: Bundle" id: build run: turbo build --token ${{ secrets.BUILDLESS_APIKEY }} --no-daemon --remote-only - - name: "Check: Compare Expected and Actual Directories" id: diff run: | @@ -53,7 +47,6 @@ jobs: git diff --ignore-space-at-eol --text dist/ exit 1 fi - - name: "Build: Upload Artifact" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1ea8057..d6fed66 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: "Check: CodeQL" on: push: @@ -32,28 +32,24 @@ jobs: - TypeScript steps: - - name: Harden Runner + - name: "Setup: Harden Runner" uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - - name: Checkout + - name: "Setup: Checkout" id: checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - - name: Initialize CodeQL + - name: "Setup: Initialize CodeQL" id: initialize uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 with: languages: ${{ matrix.language }} source-root: src - - - name: Autobuild + - name: "Build: Autobuild" id: autobuild continue-on-error: true uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 - - - name: Perform CodeQL Analysis + - name: "Check: Perform CodeQL Analysis" id: analyze continue-on-error: true uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9c697a4..8d49f3c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,12 +1,4 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' +name: 'Check: Dependency Review' on: [pull_request] permissions: @@ -16,12 +8,11 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: Harden Runner + - name: "Setup: Harden Runner" uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - - name: 'Checkout Repository' + - name: "Setup: Checkout" uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: 'Dependency Review' + - name: "Check: Dependency Review" uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/linter.action.yml b/.github/workflows/linter.action.yml new file mode 100644 index 0000000..2c4ea27 --- /dev/null +++ b/.github/workflows/linter.action.yml @@ -0,0 +1,19 @@ +name: "Check: Action Lint" + +on: + pull_request: + branches: + - main + push: + branches-ignore: + - main + +permissions: + contents: read + +jobs: + lint: + name: "Check: Action Lint" + permissions: + contents: read + uses: elide-dev/build-infra/.github/workflows/lint.action.yml diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.code.yml similarity index 93% rename from .github/workflows/linter.yml rename to .github/workflows/linter.code.yml index e447b86..eaee87e 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.code.yml @@ -1,4 +1,4 @@ -name: Lint +name: "Check: Code Lint" on: pull_request: @@ -22,11 +22,10 @@ jobs: statuses: write steps: - - name: Harden Runner + - name: "Setup: Harden Runner" uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - name: "Setup: Checkout" id: checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 @@ -35,19 +34,16 @@ jobs: uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0 with: version: 8.9.0 - - name: "Setup: Node" id: setup-node uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 20 cache: pnpm - - name: "Setup: Install Dependencies" id: install run: pnpm install && pnpm run gen - - - name: Lint Code Base + - name: "Check: Linter" id: super-linter uses: super-linter/super-linter/slim@3213b9ea991e2d45d760ea8a76aaebad8a2bdb1a # v5.4.0 env: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index da2f9a5..acb70b3 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,14 +1,6 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security +name: "Check: Scorecard" on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + branch_protection_rule: {} schedule: - cron: '20 7 * * 2' push: @@ -19,7 +11,7 @@ permissions: read-all jobs: analysis: - name: Scorecard analysis + name: "Check: Scorecard" runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. @@ -30,47 +22,27 @@ jobs: actions: read steps: - - name: Harden Runner + - name: "Setup: Harden Runner" uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: egress-policy: audit - - - name: "Checkout code" + - name: "Setup: Checkout" uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: persist-credentials: false - - - name: "Run analysis" + - name: "Check: Scorecard Analysis" uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecards on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" + - name: "Artifacts: Analysis SARIF" uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" + - name: "Artifacts: GitHub Advanced Security" uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 with: sarif_file: results.sarif