Enable CodeQL scan for GitHub Actions #3309
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check | |
on: | |
pull_request: ~ | |
push: | |
branches: | |
- main | |
permissions: read-all | |
jobs: | |
check: | |
name: ${{ matrix.what }} | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
what: | |
- ci | |
- dependencies | |
- formatting | |
- js | |
- json | |
- licenses | |
- lockfile | |
- manifest | |
- md | |
- sh | |
- yml | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install tooling | |
uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0 | |
if: ${{ matrix.what == 'ci' || matrix.what == 'sh' }} | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Check | |
run: npm run "check:${WHAT}" | |
env: | |
WHAT: ${{ matrix.what }} | |
codeql: | |
name: CodeQL (${{ matrix.what }}) | |
runs-on: ubuntu-24.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
what: | |
- javascript | |
- actions | |
permissions: | |
security-events: write # To upload CodeQL results | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
ghcr.io:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pkg-containers.githubusercontent.com:443 | |
uploads.github.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | |
if: ${{ matrix.what == 'actions' }} | |
with: | |
languages: ${{ matrix.what }} | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | |
if: ${{ matrix.what == 'javascript' }} | |
with: | |
config-file: ./.github/codeql.yml | |
languages: ${{ matrix.what }} | |
- name: Perform CodeQL analysis | |
uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | |
odgen: | |
name: ODGen | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Perform ODGen analysis | |
uses: ericcornelissen/odgen-action/all@d52f04ff5d0b5b4ae83bcc89337eb37693e17938 # v1.0.3 | |
reproducible: | |
name: Reproducible build | |
runs-on: ubuntu-24.04 | |
needs: | |
- transpile | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Simulate publish | |
run: | | |
npm run transpile | |
npm pack | |
- name: Compute checksum | |
run: shasum -- *.tgz | tee checksums.txt | |
- name: Reset to a clean state | |
run: | | |
npm run clean | |
rm -- *.tgz | |
- name: Simulate publish again | |
run: | | |
npm run transpile | |
npm pack | |
- name: Verify checksum | |
run: shasum --check checksums.txt --strict | |
test-breakage: | |
name: Breakage | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-integration | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run breakage tests | |
run: npm run coverage:breakage | |
test-compatibility: | |
name: Compatibility | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-integration | |
strategy: | |
fail-fast: false | |
matrix: | |
node-version: | |
- 14.18.0 | |
- 16.13.0 | |
- 18.0.0 | |
- 19.0.0 | |
- 20.0.0 | |
- 22.0.0 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version: ${{ matrix.node-version }} | |
- name: Install compatible npm version | |
run: npm install --global [email protected] | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run compatibility tests | |
run: npm run coverage:compat | |
test-e2e: | |
name: End-to-end (${{ matrix.name }}) | |
runs-on: ${{ matrix.os }} | |
needs: | |
- test-integration | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: MacOS | |
os: macos-14 | |
- name: Ubuntu | |
os: ubuntu-24.04 | |
- name: Windows | |
os: windows-2022 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install csh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install csh | |
- name: Install Zsh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install zsh | |
- name: Run end-to-end tests | |
run: npm run coverage:e2e | |
test-integration: | |
name: Integration (${{ matrix.name }}) | |
runs-on: ${{ matrix.os }} | |
needs: | |
- test-unit | |
- transpile | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- name: MacOS | |
os: macos-14 | |
- name: Ubuntu | |
os: ubuntu-24.04 | |
- name: Windows | |
os: windows-2022 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install Zsh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install zsh | |
- name: Install csh | |
if: ${{ matrix.name == 'Ubuntu' }} | |
run: sudo apt-get --assume-yes install csh | |
- name: Run integration tests | |
run: npm run coverage:integration | |
test-mutation-unit: | |
name: Mutation (Unit) | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-unit | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Cache Stryker incremental report | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: .cache/stryker-incremental-unit.json | |
key: mutation-unit-${{ github.run_number }} | |
restore-keys: | | |
mutation-unit- | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run mutation tests | |
run: npm run mutation:unit | |
- name: Upload mutation report | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ failure() || success() }} | |
with: | |
name: mutation-unit-report | |
path: | | |
_reports/mutation/unit.html | |
.cache/stryker-incremental-unit.json | |
test-mutation-integration: | |
name: Mutation (integration) | |
runs-on: ubuntu-24.04 | |
needs: | |
- test-integration | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: false | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
azure.archive.ubuntu.com:80 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Cache Stryker incremental report | |
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 | |
with: | |
path: .cache/stryker-incremental-integration.json | |
key: mutation-integration-${{ github.run_number }} | |
restore-keys: | | |
mutation-integration- | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Install Zsh | |
run: sudo apt-get --assume-yes install zsh | |
- name: Install csh | |
run: sudo apt-get --assume-yes install csh | |
- name: Run mutation tests | |
run: npm run mutation:integration | |
- name: Upload mutation report | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ failure() || success() }} | |
with: | |
name: mutation-integration-report | |
path: | | |
_reports/mutation/integration.html | |
.cache/stryker-incremental-integration.json | |
test-unit: | |
name: Unit | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Run unit tests | |
run: npm run coverage:unit | |
transpile: | |
name: Transpile | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Harden runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
actions-results-receiver-production.githubapp.com:443 | |
api.github.com:443 | |
artifactcache.actions.githubusercontent.com:443 | |
github.com:443 | |
gitlab.com:443 | |
nodejs.org:443 | |
objects.githubusercontent.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
persist-credentials: false | |
- name: Install Node.js | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: npm | |
node-version-file: .nvmrc | |
- name: Install dependencies | |
run: npm clean-install | |
- name: Transpile to CommonJS | |
run: npm run transpile |