Skip to content

Enable CodeQL scan for GitHub Actions #3309

Enable CodeQL scan for GitHub Actions

Enable CodeQL scan for GitHub Actions #3309

Workflow file for this run

name: Check
on:
pull_request: ~
push:
branches:
- main
permissions: read-all
jobs:
check:
name: ${{ matrix.what }}
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
what:
- ci
- dependencies
- formatting
- js
- json
- licenses
- lockfile
- manifest
- md
- sh
- yml
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install tooling
uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
if: ${{ matrix.what == 'ci' || matrix.what == 'sh' }}
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Check
run: npm run "check:${WHAT}"
env:
WHAT: ${{ matrix.what }}
codeql:
name: CodeQL (${{ matrix.what }})
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
what:
- javascript
- actions
permissions:
security-events: write # To upload CodeQL results
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
if: ${{ matrix.what == 'actions' }}
with:
languages: ${{ matrix.what }}
- name: Initialize CodeQL
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
if: ${{ matrix.what == 'javascript' }}
with:
config-file: ./.github/codeql.yml
languages: ${{ matrix.what }}
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
odgen:
name: ODGen
runs-on: ubuntu-24.04
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Perform ODGen analysis
uses: ericcornelissen/odgen-action/all@d52f04ff5d0b5b4ae83bcc89337eb37693e17938 # v1.0.3
reproducible:
name: Reproducible build
runs-on: ubuntu-24.04
needs:
- transpile
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Simulate publish
run: |
npm run transpile
npm pack
- name: Compute checksum
run: shasum -- *.tgz | tee checksums.txt
- name: Reset to a clean state
run: |
npm run clean
rm -- *.tgz
- name: Simulate publish again
run: |
npm run transpile
npm pack
- name: Verify checksum
run: shasum --check checksums.txt --strict
test-breakage:
name: Breakage
runs-on: ubuntu-24.04
needs:
- test-integration
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Run breakage tests
run: npm run coverage:breakage
test-compatibility:
name: Compatibility
runs-on: ubuntu-24.04
needs:
- test-integration
strategy:
fail-fast: false
matrix:
node-version:
- 14.18.0
- 16.13.0
- 18.0.0
- 19.0.0
- 20.0.0
- 22.0.0
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version: ${{ matrix.node-version }}
- name: Install compatible npm version
run: npm install --global [email protected]
- name: Install dependencies
run: npm clean-install
- name: Run compatibility tests
run: npm run coverage:compat
test-e2e:
name: End-to-end (${{ matrix.name }})
runs-on: ${{ matrix.os }}
needs:
- test-integration
strategy:
fail-fast: false
matrix:
include:
- name: MacOS
os: macos-14
- name: Ubuntu
os: ubuntu-24.04
- name: Windows
os: windows-2022
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: false
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
azure.archive.ubuntu.com:80
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Install csh
if: ${{ matrix.name == 'Ubuntu' }}
run: sudo apt-get --assume-yes install csh
- name: Install Zsh
if: ${{ matrix.name == 'Ubuntu' }}
run: sudo apt-get --assume-yes install zsh
- name: Run end-to-end tests
run: npm run coverage:e2e
test-integration:
name: Integration (${{ matrix.name }})
runs-on: ${{ matrix.os }}
needs:
- test-unit
- transpile
strategy:
fail-fast: false
matrix:
include:
- name: MacOS
os: macos-14
- name: Ubuntu
os: ubuntu-24.04
- name: Windows
os: windows-2022
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: false
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
azure.archive.ubuntu.com:80
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Install Zsh
if: ${{ matrix.name == 'Ubuntu' }}
run: sudo apt-get --assume-yes install zsh
- name: Install csh
if: ${{ matrix.name == 'Ubuntu' }}
run: sudo apt-get --assume-yes install csh
- name: Run integration tests
run: npm run coverage:integration
test-mutation-unit:
name: Mutation (Unit)
runs-on: ubuntu-24.04
needs:
- test-unit
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Cache Stryker incremental report
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: .cache/stryker-incremental-unit.json
key: mutation-unit-${{ github.run_number }}
restore-keys: |
mutation-unit-
- name: Install dependencies
run: npm clean-install
- name: Run mutation tests
run: npm run mutation:unit
- name: Upload mutation report
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: ${{ failure() || success() }}
with:
name: mutation-unit-report
path: |
_reports/mutation/unit.html
.cache/stryker-incremental-unit.json
test-mutation-integration:
name: Mutation (integration)
runs-on: ubuntu-24.04
needs:
- test-integration
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: false
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
azure.archive.ubuntu.com:80
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Cache Stryker incremental report
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: .cache/stryker-incremental-integration.json
key: mutation-integration-${{ github.run_number }}
restore-keys: |
mutation-integration-
- name: Install dependencies
run: npm clean-install
- name: Install Zsh
run: sudo apt-get --assume-yes install zsh
- name: Install csh
run: sudo apt-get --assume-yes install csh
- name: Run mutation tests
run: npm run mutation:integration
- name: Upload mutation report
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: ${{ failure() || success() }}
with:
name: mutation-integration-report
path: |
_reports/mutation/integration.html
.cache/stryker-incremental-integration.json
test-unit:
name: Unit
runs-on: ubuntu-24.04
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Run unit tests
run: npm run coverage:unit
transpile:
name: Transpile
runs-on: ubuntu-24.04
steps:
- name: Harden runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
artifactcache.actions.githubusercontent.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Transpile to CommonJS
run: npm run transpile