Skip to content

fix(deps): update dependency zod to v3.22.3 [security] #307

fix(deps): update dependency zod to v3.22.3 [security]

fix(deps): update dependency zod to v3.22.3 [security] #307

Workflow file for this run

name: CI/CD
on:
push:
env:
FORCE_COLOR: 3
# Cancel in-progress runs on new updates,
# except for deployment runs which could
# leave the app in an inconsistent state.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: ${{ github.ref_name != 'main' && github.ref_name != 'beta' }}
jobs:
ci:
name: Integration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: pnpm/action-setup@v2
with:
version: 8
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
cache: pnpm
- name: Turbo Cache
id: turbo-cache
uses: actions/cache@v3
with:
path: node_modules/.cache/turbo
key: turbo-${{ github.sha }}
- name: Install dependencies
run: pnpm install
- name: Install & setup mkcert
run: |
sudo apt install libnss3-tools
curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
chmod +x mkcert-v*-linux-amd64
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
echo "mkcert version: $(mkcert -version)"
mkcert -install
- name: Generate TLS certificates
run: pnpm mkcert
- name: Lint
run: pnpm lint
- name: Unit tests
run: pnpm test
- name: Type checking
run: pnpm typecheck
- name: Build (NPM)
run: pnpm build:npm
- name: Build (Docker)
uses: docker/build-push-action@v4
with:
context: .
file: packages/server/Dockerfile
push: false
- name: Build docs
run: pnpm build:docs
# ----------------------------------------------------------------------------
cd-npm:
name: Release (NPM)
runs-on: ubuntu-latest
needs: [ci]
# todo: Enable main release channel once v1 is ready
# if: ${{ github.ref_name == 'main' || github.ref_name == 'beta' }}
if: ${{ github.ref_name == 'beta' }}
steps:
- uses: actions/checkout@v3
- uses: pnpm/action-setup@v2
with:
version: 7
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
cache: pnpm
# Note: we do not use an external Turbo cache for publishing
# to prevent against possible cache collision attacks.
- name: Install dependencies
run: pnpm install
# NPM publish --
- name: Build (NPM)
run: pnpm build:npm
- name: Publish (NPM)
run: |
npx multi-semantic-release \
--ignore-packages="config/**,docs,examples/**" \
--deps.bump=satisfy
env:
SCEAU_PRIVATE_KEY: ${{ secrets.SCEAU_PRIVATE_KEY }}
GITHUB_TOKEN: ${{ github.token }}
NPM_TOKEN: ${{ secrets.SOCIALGROOVYBOT_NPM_TOKEN }}
GIT_AUTHOR_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }}
GIT_AUTHOR_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
GIT_COMMITTER_NAME: ${{ secrets.SOCIALGROOVYBOT_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
- name: Generate step summary
run: |
if test -f GITHUB_STEP_SUMMARY_PACKAGES;
then
echo "## 📦  Published NPM packages" >> $GITHUB_STEP_SUMMARY;
cat GITHUB_STEP_SUMMARY_PACKAGES >> $GITHUB_STEP_SUMMARY;
fi
if test -f GITHUB_STEP_SUMMARY_SERVER;
then
echo "## Server" >> $GITHUB_STEP_SUMMARY;
cat GITHUB_STEP_SUMMARY_SERVER >> $GITHUB_STEP_SUMMARY;
fi
if ! test -f GITHUB_STEP_SUMMARY_SERVER && ! test -f GITHUB_STEP_SUMMARY_PACKAGES;
then
echo "No packages were published." >> $GITHUB_STEP_SUMMARY;
fi
# When the server package needs to be published,
# the internal @socialgouv/e2esdk-semantic-release plugin
# will store the new version number into the
# `server-needs-publishing` file at the repo root.
# We detect its presence and store the version
# in a step output, which will determine whether
# the Docker build+push step occurs or not.
- name: Check if server needs publishing
id: server-needs-publishing
run: |
if test -f server-needs-publishing;
then
echo "version=$(cat server-needs-publishing)" >> $GITHUB_OUTPUT;
fi
outputs:
server-version: ${{ steps.server-needs-publishing.outputs.version }}
# ----------------------------------------------------------------------------
cd-docker:
name: Release (Docker)
runs-on: ubuntu-latest
needs: [cd-npm]
if: ${{ needs.cd-npm.outputs.server-version }}
steps:
- name: Generate timestamp
id: timestamp
run: echo "timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
- uses: pnpm/action-setup@v2
with:
version: 7
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
cache: pnpm
# Note: we do not use an external Turbo cache for publishing
# to prevent against possible cache collision attacks.
- name: Install dependencies
run: pnpm install
- name: Build & sign server
run: |
pnpm build:server
cd packages/server
pnpm version ${{ needs.cd-npm.outputs.server-version }} --no-commit-hooks --no-git-tag-version
pnpm sign
env:
SCEAU_PRIVATE_KEY: ${{ secrets.SCEAU_PRIVATE_KEY }}
- name: Collect Docker labels & tags
id: docker-labels-tags
run: |
echo 'labels<<__LABELS_EOF__' >> $GITHUB_OUTPUT
echo "org.opencontainers.image.title=@socialgouv/e2esdk-server" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.description=End-to-end encryption server" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.version=${{ needs.cd-npm.outputs.server-version }}" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.revision=${{ github.sha }}" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.licenses=Apache-2.0" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.source=https//github.com/${{github.repository}}/tree/${{ github.sha }}" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.documentation=https://github.com/${{github.repository}}/blob/main/packages/server/README.md" >> $GITHUB_OUTPUT
echo "org.opencontainers.image.url=https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" >> $GITHUB_OUTPUT
echo '__LABELS_EOF__' >> $GITHUB_OUTPUT
echo 'tags<<__TAGS_EOF__' >> $GITHUB_OUTPUT
echo "ghcr.io/socialgouv/e2esdk/server:${{ github.ref_name == 'main' && 'latest' || 'beta' }}" >> $GITHUB_OUTPUT
echo "ghcr.io/socialgouv/e2esdk/server:${{ needs.cd-npm.outputs.server-version }}" >> $GITHUB_OUTPUT
echo "ghcr.io/socialgouv/e2esdk/server:git-${{ github.ref_name }}-${{ github.sha }}" >> $GITHUB_OUTPUT
echo '__TAGS_EOF__' >> $GITHUB_OUTPUT
- name: Docker registry authentication
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Build & Publish (Docker)
uses: docker/build-push-action@v4
id: docker-build-push
with:
context: .
file: packages/server/Dockerfile
build-args: |
SCEAU_VERIFICATION_MODE=--strict
labels: '${{ steps.docker-labels-tags.outputs.labels }}'
tags: '${{ steps.docker-labels-tags.outputs.tags }}'
push: true
- name: Generate step summary
run: |
echo "## 🐳 &nbsp;Docker image" >> $GITHUB_STEP_SUMMARY
echo "Digest: \`${{ steps.docker-build-push.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
echo "### 📌 &nbsp;Tags" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${{ steps.docker-labels-tags.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "### 🏷 &nbsp;Labels" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "${{ steps.docker-labels-tags.outputs.labels }}" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY