Skip to content

continue pipeline when npm audit reports vulnerabilities #269

continue pipeline when npm audit reports vulnerabilities

continue pipeline when npm audit reports vulnerabilities #269

Workflow file for this run

name: 'Frodo Library Release Pipeline'
on:
pull_request:
branches:
- 'main'
paths-ignore:
- '**/README.md'
- '**/CODE_OF_CONDUCT.md'
- 'docs/**'
push:
branches:
- 'main'
paths-ignore:
- '**/pipeline.yml'
- '**/README.md'
- '**/CODE_OF_CONDUCT.md'
- 'docs/**'
workflow_dispatch:
env:
NODE_VERSION: 16
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
# Need to specify ref and repository for PRs from forked repos
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: 'Prepare Version Bump'
id: version-bump
uses: 'phips28/gh-action-bump-version@master'
with:
major-wording: 'MAJOR RELEASE.'
minor-wording: 'MINOR RELEASE'
patch-wording: 'PATCH RELEASE'
rc-wording: ''
tag-prefix: 'v'
default: prerelease
preid: ''
bump-policy: 'ignore'
skip-commit: 'true'
skip-tag: 'true'
skip-push: 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Version From Tag
id: version-from-tag
run: echo "version=$(echo '${{ steps.version-bump.outputs.newTag }}' | sed 's/v//')" >> "$GITHUB_OUTPUT"
- name: Generate types
run: npm run generate-types
- name: Build esm
run: |
npm run transpile-esm
npm run resources-esm
- name: Build cjs
run: |
npm run transpile-cjs
npm run resources-cjs
- name: Lint
run: npm run lint
- name: Security Audit
continue-on-error: true
run: npm audit --omit=dev
- name: Zip build artifacts
run: zip -r build.zip esm cjs mocks package.json package-lock.json snapshotResolve.js types
- uses: actions/upload-artifact@v3
with:
name: build
path: |
build.zip
outputs:
newTag: ${{ steps.version-bump.outputs.newTag }}
newVersion: ${{ steps.version-from-tag.outputs.version }}
preRelease: ${{ contains(steps.version-bump.outputs.newTag, '-') }}
smoke-tests:
name: 'Smoke Tests'
# You must use a Linux environment when using service containers or container jobs
runs-on: ubuntu-latest
needs: [build]
strategy:
matrix:
node-version: [20, 18, 16]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
# Service containers to run with `smoke-tests`
services:
# Label used to access the service container
squid:
# Docker Hub image
image: ubuntu/squid
#
ports:
# Maps tcp port 3128 on the host to the same port in the service container
- 3128:3128
steps:
# Need to check out repo to get .snap and .har files for unit tests
- name: Checkout repository
uses: actions/checkout@v3
with:
# Need to specify ref and repository for PRs from forked repos
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- uses: actions/download-artifact@v3
with:
name: build
# need -o to overwrite package.json
- name: Unzip build artifact
run: unzip -o build.zip
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
node-version: ${{ matrix.node-version }}
cache: 'npm'
- name: Install dependencies
run: |
npm ci
#
# Run tests.
#
- name: Direct Tests
env:
FRODO_DEBUG: ${{ vars.FRODO_DEBUG }}
FRODO_HOST: ${{ vars.FIDC_TENANT_URL }}
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }}
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }}
run: |
npm run test:debug
- name: Proxy Tests
env:
FRODO_DEBUG: ${{ vars.FRODO_DEBUG }}
HTTPS_PROXY: 'http://127.0.0.1:3128'
FRODO_HOST: ${{ vars.FIDC_TENANT_URL }}
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }}
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }}
run: |
npm run test:only
- name: Security Audit
run: |
npm audit --omit=dev
npm-release:
if: github.ref == 'refs/heads/main'
needs: [build, smoke-tests]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: build
- name: Unzip build artifact
run: unzip build.zip
- uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Pre-Release
if: ${{ fromJSON(needs.build.outputs.preRelease) }}
uses: JS-DevTools/npm-publish@v1
with:
access: public
tag: 'next'
token: ${{ secrets.NPM_ACCESS_TOKEN }}
- name: Release
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }}
uses: JS-DevTools/npm-publish@v1
with:
access: public
token: ${{ secrets.NPM_ACCESS_TOKEN }}
- name: Add next tag
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }}
run: |
export INPUT_TOKEN=${{ secrets.NPM_ACCESS_TOKEN }}
npm whoami
npm dist-tag add @rockcarver/frodo-lib@${{ needs.build.outputs.newVersion }} next
release:
if: github.ref == 'refs/heads/main'
needs: [build, npm-release]
name: 'Release'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/download-artifact@v3
with:
name: build
# need -o to overwrite package.json
- name: Unzip build artifact
run: unzip -o build.zip
- name: 'Github SHA'
id: github-sha
run: echo ${{ github.sha }} > Release.txt
- name: Update Changelog
uses: thomaseizinger/keep-a-changelog-new-release@1.3.0
with:
tag: ${{ needs.build.outputs.newTag }}
- name: 'Output Changelog'
run: cat CHANGELOG.md
- name: 'Release Header'
id: release-header
run: echo "header=$(echo `grep '## \\[${{ needs.build.outputs.newVersion }}] -' CHANGELOG.md | sed 's/## //' | sed 's/\\[//' | sed 's/]//'`)" >> "$GITHUB_OUTPUT"
- name: 'Extract Release Notes'
id: extract-release-notes
uses: 'dahlia/submark@main'
with:
input-file: 'CHANGELOG.md'
heading-level: 2
heading-title-text: '${{ steps.release-header.outputs.header }}'
ignore-case: true
omit-heading: true
- name: Commit updated changelog and version
id: commit-changelog
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add CHANGELOG.md package.json
git commit --message "Updated changelog and version for release ${{ needs.build.outputs.newTag }}"
git push
- name: Release
uses: softprops/action-gh-release@v1
with:
name: Frodo Library ${{ needs.build.outputs.newVersion }}
tag_name: ${{ needs.build.outputs.newTag }}
body: ${{ steps.extract-release-notes.outputs.output-text }}
prerelease: ${{ needs.build.outputs.preRelease }}
generate_release_notes: ${{ contains(needs.build.outputs.newTag, '-') }}
files: |
CHANGELOG.md
LICENSE
Release.txt
token: ${{ secrets.GITHUB_TOKEN }}