fix(deps): update dependency zod to v3.22.3 [security] #307
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD | |
on: | |
push: | |
env: | |
FORCE_COLOR: 3 | |
# Cancel in-progress runs on new updates, | |
# except for deployment runs which could | |
# leave the app in an inconsistent state. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: ${{ github.ref_name != 'main' && github.ref_name != 'beta' }} | |
jobs: | |
ci: | |
name: Integration | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 8 | |
- name: Set up Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: lts/* | |
cache: pnpm | |
- name: Turbo Cache | |
id: turbo-cache | |
uses: actions/cache@v3 | |
with: | |
path: node_modules/.cache/turbo | |
key: turbo-${{ github.sha }} | |
- name: Install dependencies | |
run: pnpm install | |
- name: Install & setup mkcert | |
run: | | |
sudo apt install libnss3-tools | |
curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" | |
chmod +x mkcert-v*-linux-amd64 | |
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert | |
echo "mkcert version: $(mkcert -version)" | |
mkcert -install | |
- name: Generate TLS certificates | |
run: pnpm mkcert | |
- name: Lint | |
run: pnpm lint | |
- name: Unit tests | |
run: pnpm test | |
- name: Type checking | |
run: pnpm typecheck | |
- name: Build (NPM) | |
run: pnpm build:npm | |
- name: Build (Docker) | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
file: packages/server/Dockerfile | |
push: false | |
- name: Build docs | |
run: pnpm build:docs | |
# ---------------------------------------------------------------------------- | |
cd-npm: | |
name: Release (NPM) | |
runs-on: ubuntu-latest | |
needs: [ci] | |
# todo: Enable main release channel once v1 is ready | |
# if: ${{ github.ref_name == 'main' || github.ref_name == 'beta' }} | |
if: ${{ github.ref_name == 'beta' }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 7 | |
- name: Set up Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: lts/* | |
cache: pnpm | |
# Note: we do not use an external Turbo cache for publishing | |
# to prevent against possible cache collision attacks. | |
- name: Install dependencies | |
run: pnpm install | |
# NPM publish -- | |
- name: Build (NPM) | |
run: pnpm build:npm | |
- name: Publish (NPM) | |
run: | | |
npx multi-semantic-release \ | |
--ignore-packages="config/**,docs,examples/**" \ | |
--deps.bump=satisfy | |
env: | |
SCEAU_PRIVATE_KEY: ${{ secrets.SCEAU_PRIVATE_KEY }} | |
GITHUB_TOKEN: ${{ github.token }} | |
NPM_TOKEN: ${{ secrets.SOCIALGROOVYBOT_NPM_TOKEN }} | |
GIT_AUTHOR_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }} | |
GIT_AUTHOR_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }} | |
GIT_COMMITTER_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }} | |
GIT_COMMITTER_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }} | |
- name: Generate step summary | |
run: | | |
if test -f GITHUB_STEP_SUMMARY_PACKAGES; | |
then | |
echo "## 📦 Published NPM packages" >> $GITHUB_STEP_SUMMARY; | |
cat GITHUB_STEP_SUMMARY_PACKAGES >> $GITHUB_STEP_SUMMARY; | |
fi | |
if test -f GITHUB_STEP_SUMMARY_SERVER; | |
then | |
echo "## Server" >> $GITHUB_STEP_SUMMARY; | |
cat GITHUB_STEP_SUMMARY_SERVER >> $GITHUB_STEP_SUMMARY; | |
fi | |
if ! test -f GITHUB_STEP_SUMMARY_SERVER && ! test -f GITHUB_STEP_SUMMARY_PACKAGES; | |
then | |
echo "No packages were published." >> $GITHUB_STEP_SUMMARY; | |
fi | |
# When the server package needs to be published, | |
# the internal @socialgouv/e2esdk-semantic-release plugin | |
# will store the new version number into the | |
# `server-needs-publishing` file at the repo root. | |
# We detect its presence and store the version | |
# in a step output, which will determine whether | |
# the Docker build+push step occurs or not. | |
- name: Check if server needs publishing | |
id: server-needs-publishing | |
run: | | |
if test -f server-needs-publishing; | |
then | |
echo "version=$(cat server-needs-publishing)" >> $GITHUB_OUTPUT; | |
fi | |
outputs: | |
server-version: ${{ steps.server-needs-publishing.outputs.version }} | |
# ---------------------------------------------------------------------------- | |
cd-docker: | |
name: Release (Docker) | |
runs-on: ubuntu-latest | |
needs: [cd-npm] | |
if: ${{ needs.cd-npm.outputs.server-version }} | |
steps: | |
- name: Generate timestamp | |
id: timestamp | |
run: echo "timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v3 | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 7 | |
- name: Set up Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: lts/* | |
cache: pnpm | |
# Note: we do not use an external Turbo cache for publishing | |
# to prevent against possible cache collision attacks. | |
- name: Install dependencies | |
run: pnpm install | |
- name: Build & sign server | |
run: | | |
pnpm build:server | |
cd packages/server | |
pnpm version ${{ needs.cd-npm.outputs.server-version }} --no-commit-hooks --no-git-tag-version | |
pnpm sign | |
env: | |
SCEAU_PRIVATE_KEY: ${{ secrets.SCEAU_PRIVATE_KEY }} | |
- name: Collect Docker labels & tags | |
id: docker-labels-tags | |
run: | | |
echo 'labels<<__LABELS_EOF__' >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.title=@socialgouv/e2esdk-server" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.description=End-to-end encryption server" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.version=${{ needs.cd-npm.outputs.server-version }}" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.revision=${{ github.sha }}" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.licenses=Apache-2.0" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.source=https//github.com/${{github.repository}}/tree/${{ github.sha }}" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.documentation=https://github.com/${{github.repository}}/blob/main/packages/server/README.md" >> $GITHUB_OUTPUT | |
echo "org.opencontainers.image.url=https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" >> $GITHUB_OUTPUT | |
echo '__LABELS_EOF__' >> $GITHUB_OUTPUT | |
echo 'tags<<__TAGS_EOF__' >> $GITHUB_OUTPUT | |
echo "ghcr.io/socialgouv/e2esdk/server:${{ github.ref_name == 'main' && 'latest' || 'beta' }}" >> $GITHUB_OUTPUT | |
echo "ghcr.io/socialgouv/e2esdk/server:${{ needs.cd-npm.outputs.server-version }}" >> $GITHUB_OUTPUT | |
echo "ghcr.io/socialgouv/e2esdk/server:git-${{ github.ref_name }}-${{ github.sha }}" >> $GITHUB_OUTPUT | |
echo '__TAGS_EOF__' >> $GITHUB_OUTPUT | |
- name: Docker registry authentication | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Build & Publish (Docker) | |
uses: docker/build-push-action@v4 | |
id: docker-build-push | |
with: | |
context: . | |
file: packages/server/Dockerfile | |
build-args: | | |
SCEAU_VERIFICATION_MODE=--strict | |
labels: '${{ steps.docker-labels-tags.outputs.labels }}' | |
tags: '${{ steps.docker-labels-tags.outputs.tags }}' | |
push: true | |
- name: Generate step summary | |
run: | | |
echo "## 🐳 Docker image" >> $GITHUB_STEP_SUMMARY | |
echo "Digest: \`${{ steps.docker-build-push.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY | |
echo "### 📌 Tags" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
echo "${{ steps.docker-labels-tags.outputs.tags }}" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
echo "### 🏷 Labels" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
echo "${{ steps.docker-labels-tags.outputs.labels }}" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |