chore(ci): Ensure ci workflows is consistent and not vulnerable to injection attacks (#6109)
This commit is contained in:
Seth Vargo
GitHub
parent
b655d8f062
commit
214800cfc6
|
|
@ -1,14 +1,20 @@
|
||||||
# .github/workflows/ci.yml
|
name: 'Gemini CLI CI'
|
||||||
|
|
||||||
name: Gemini CLI CI
|
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [main, release]
|
branches:
|
||||||
|
- 'main'
|
||||||
|
- 'release'
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: [main, release]
|
branches:
|
||||||
|
- 'main'
|
||||||
|
- 'release'
|
||||||
merge_group:
|
merge_group:
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
|
||||||
|
cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/') }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint:
|
lint:
|
||||||
name: Lint
|
name: Lint
|
||||||
|
|
@ -51,112 +57,126 @@ jobs:
|
||||||
run: npm run typecheck
|
run: npm run typecheck
|
||||||
|
|
||||||
test:
|
test:
|
||||||
name: Test
|
name: 'Test'
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: '${{ matrix.os }}'
|
||||||
needs: lint
|
needs: 'lint'
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: 'read'
|
||||||
checks: write
|
checks: 'write'
|
||||||
pull-requests: write
|
pull-requests: 'write'
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false # So we can see all test failures
|
fail-fast: false # So we can see all test failures
|
||||||
matrix:
|
matrix:
|
||||||
os: [ubuntu-latest, windows-latest, macos-latest]
|
os:
|
||||||
node-version: [20.x, 22.x, 24.x]
|
- 'macos-latest'
|
||||||
|
- 'ubuntu-latest'
|
||||||
|
- 'windows-latest'
|
||||||
|
node-version:
|
||||||
|
- '20.x'
|
||||||
|
- '22.x'
|
||||||
|
- '24.x'
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: 'Checkout'
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
|
||||||
|
|
||||||
- name: Set up Node.js ${{ matrix.node-version }}
|
- name: 'Set up Node.js ${{ matrix.node-version }}'
|
||||||
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
|
uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version: ${{ matrix.node-version }}
|
node-version: '${{ matrix.node-version }}'
|
||||||
cache: 'npm'
|
cache: 'npm'
|
||||||
|
|
||||||
- name: Build project
|
- name: 'Build project'
|
||||||
run: npm run build
|
run: |-
|
||||||
|
npm run build
|
||||||
|
|
||||||
- name: Install dependencies for testing
|
- name: 'Install dependencies for testing'
|
||||||
run: npm ci # Install fresh dependencies using the downloaded package-lock.json
|
run: |-
|
||||||
|
npm ci
|
||||||
|
|
||||||
- name: Run tests and generate reports
|
- name: 'Run tests and generate reports'
|
||||||
run: npm run test:ci
|
|
||||||
env:
|
env:
|
||||||
NO_COLOR: true
|
NO_COLOR: true
|
||||||
|
run: 'npm run test:ci'
|
||||||
|
|
||||||
- name: Publish Test Report (for non-forks)
|
- name: 'Publish Test Report (for non-forks)'
|
||||||
if: always() && (github.event.pull_request.head.repo.full_name == github.repository)
|
if: |-
|
||||||
uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2
|
${{ always() && (github.event.pull_request.head.repo.full_name == github.repository) }}
|
||||||
|
uses: 'dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3' # ratchet:dorny/test-reporter@v2
|
||||||
with:
|
with:
|
||||||
name: Test Results (Node ${{ matrix.node-version }})
|
name: 'Test Results (Node ${{ matrix.node-version }})'
|
||||||
path: packages/*/junit.xml
|
path: 'packages/*/junit.xml'
|
||||||
reporter: java-junit
|
reporter: 'java-junit'
|
||||||
fail-on-error: 'false'
|
fail-on-error: 'false'
|
||||||
|
|
||||||
- name: Upload Test Results Artifact (for forks)
|
- name: 'Upload Test Results Artifact (for forks)'
|
||||||
if: always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
|
if: |-
|
||||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
${{ always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }}
|
||||||
|
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: test-results-fork-${{ matrix.node-version }}-${{ matrix.os }}
|
name: 'test-results-fork-${{ matrix.node-version }}-${{ matrix.os }}'
|
||||||
path: packages/*/junit.xml
|
path: 'packages/*/junit.xml'
|
||||||
|
|
||||||
- name: Upload coverage reports
|
- name: 'Upload coverage reports'
|
||||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
if: |-
|
||||||
if: always()
|
${{ always() }}
|
||||||
|
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}
|
name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
|
||||||
path: packages/*/coverage
|
path: 'packages/*/coverage'
|
||||||
|
|
||||||
post_coverage_comment:
|
post_coverage_comment:
|
||||||
name: Post Coverage Comment
|
name: 'Post Coverage Comment'
|
||||||
runs-on: ubuntu-latest
|
runs-on: 'ubuntu-latest'
|
||||||
needs: test
|
needs: 'test'
|
||||||
if: always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository)
|
if: |-
|
||||||
|
${{ always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository) }}
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
permissions:
|
permissions:
|
||||||
contents: read # For checkout
|
contents: 'read' # For checkout
|
||||||
pull-requests: write # For commenting
|
pull-requests: 'write' # For commenting
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
# Reduce noise by only posting the comment once
|
# Reduce noise by only posting the comment once
|
||||||
os: [ubuntu-latest]
|
os:
|
||||||
node-version: [22.x]
|
- 'ubuntu-latest'
|
||||||
|
node-version:
|
||||||
|
- '22.x'
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: 'Checkout'
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
|
||||||
|
|
||||||
- name: Download coverage reports artifact
|
- name: 'Download coverage reports artifact'
|
||||||
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
|
||||||
with:
|
with:
|
||||||
name: coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}
|
name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
|
||||||
path: coverage_artifact # Download to a specific directory
|
path: 'coverage_artifact' # Download to a specific directory
|
||||||
|
|
||||||
- name: Post Coverage Comment using Composite Action
|
- name: 'Post Coverage Comment using Composite Action'
|
||||||
uses: ./.github/actions/post-coverage-comment # Path to the composite action directory
|
uses: './.github/actions/post-coverage-comment' # Path to the composite action directory
|
||||||
with:
|
with:
|
||||||
cli_json_file: coverage_artifact/cli/coverage/coverage-summary.json
|
cli_json_file: 'coverage_artifact/cli/coverage/coverage-summary.json'
|
||||||
core_json_file: coverage_artifact/core/coverage/coverage-summary.json
|
core_json_file: 'coverage_artifact/core/coverage/coverage-summary.json'
|
||||||
cli_full_text_summary_file: coverage_artifact/cli/coverage/full-text-summary.txt
|
cli_full_text_summary_file: 'coverage_artifact/cli/coverage/full-text-summary.txt'
|
||||||
core_full_text_summary_file: coverage_artifact/core/coverage/full-text-summary.txt
|
core_full_text_summary_file: 'coverage_artifact/core/coverage/full-text-summary.txt'
|
||||||
node_version: ${{ matrix.node-version }}
|
node_version: '${{ matrix.node-version }}'
|
||||||
os: ${{ matrix.os }}
|
os: '${{ matrix.os }}'
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
github_token: '${{ secrets.GITHUB_TOKEN }}'
|
||||||
|
|
||||||
codeql:
|
codeql:
|
||||||
name: CodeQL
|
name: 'CodeQL'
|
||||||
runs-on: ubuntu-latest
|
runs-on: 'ubuntu-latest'
|
||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: 'read'
|
||||||
contents: read
|
contents: 'read'
|
||||||
security-events: write
|
security-events: 'write'
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: 'Checkout'
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
|
||||||
|
|
||||||
- name: Initialize CodeQL
|
- name: 'Initialize CodeQL'
|
||||||
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
|
uses: 'github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/init@v3
|
||||||
with:
|
with:
|
||||||
languages: javascript
|
languages: 'javascript'
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: 'Perform CodeQL Analysis'
|
||||||
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
|
uses: 'github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/analyze@v3
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue