diff --git a/.github/linters/.checkov.yml b/.github/linters/.checkov.yml index 9f68cda..7cc614b 100644 --- a/.github/linters/.checkov.yml +++ b/.github/linters/.checkov.yml @@ -5,6 +5,7 @@ quiet: true skip-check: - CKV_DOCKER_2 + - CKV_DOCKER_8 - CKV_GHA_3 - BC_DKR_3 - CKV_GIT_1 diff --git a/.github/linters/.grype.yaml b/.github/linters/.grype.yaml new file mode 100644 index 0000000..007546c --- /dev/null +++ b/.github/linters/.grype.yaml @@ -0,0 +1,3 @@ +check-for-app-update: false +exclude: + - '**/package-lock.json' diff --git a/.github/linters/.lychee.toml b/.github/linters/.lychee.toml new file mode 100644 index 0000000..9550a2e --- /dev/null +++ b/.github/linters/.lychee.toml @@ -0,0 +1 @@ +exclude_path = [".github"] diff --git a/.github/linters/.mega-linter.yml b/.github/linters/.mega-linter.yml index 2234280..c30aea7 100644 --- a/.github/linters/.mega-linter.yml +++ b/.github/linters/.mega-linter.yml @@ -11,6 +11,8 @@ DISABLE_LINTERS: - JSON_PRETTIER - YAML_PRETTIER - JAVASCRIPT_PRETTIER + - HTML_DJLINT + - REPOSITORY_DEVSKIM # temporarily disabled LOG_LEVEL: INFO PRINT_ALPACA: false @@ -19,7 +21,7 @@ SHOW_ELAPSED_TIME: true FLAVOR_SUGGESTIONS: false VALIDATE_ALL_CODEBASE: false IGNORE_GENERATED_FILES: true -FILTER_REGEX_EXCLUDE: (dist/*|README.md|test/fixtures/*|vendor/*|/schemas/*) +FILTER_REGEX_EXCLUDE: (dist/*|README.md|test/fixtures/*|vendor/*|/schemas/*|coverage/*|.nyc_output/*) MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdown-lint.yml REPOSITORY_CHECKOV_ARGUMENTS: [--skip-path, schemas] diff --git a/.github/workflows/pull_request_target.yml b/.github/workflows/pull_request_target.yml index eaf1f3b..3bc886c 100644 --- a/.github/workflows/pull_request_target.yml +++ b/.github/workflows/pull_request_target.yml @@ -10,5 +10,5 @@ permissions: read-all jobs: main: - uses: ahmadnassri/actions/.github/workflows/pull-request-target-template.yml@master + uses: ahmadnassri/actions/.github/workflows/pull-request-target.yml@master secrets: inherit diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 18422fa..e54a153 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -2,321 +2,20 @@ # Note: this file originates in template-node-lib # # ----------------------------------------------- # +name: push + on: - push - workflow_dispatch -name: push - -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - -permissions: - contents: write - packages: write - pull-requests: write - -env: - NODE_ENV: test +permissions: read-all jobs: - metadata: - runs-on: ubuntu-latest - - outputs: - image-name: ${{ steps.image.outputs.name }} - dockerfile: ${{ steps.dockerfile.outputs.exists }} - repository_is_template: ${{ steps.metadata.outputs.repository_is_template }} - repository_default_branch: ${{ steps.metadata.outputs.repository_default_branch }} - - steps: - - uses: actions/checkout@v3.5.3 - - - id: metadata - uses: ahmadnassri/action-metadata@v2.1.2 - - - id: dockerfile - run: echo "exists=$([[ -f "${{ github.workspace }}/Dockerfile" ]] && echo true || echo false)" >> "$GITHUB_OUTPUT" - - - id: image - run: echo "name=$(basename "${GITHUB_REPOSITORY/node-//}")" >> "$GITHUB_OUTPUT" - - commit-lint: - timeout-minutes: 5 - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3.5.3 - - - uses: ahmadnassri/action-commit-lint@v2.1.15 - with: - config: .github/linters/.commit-lint.yml - - mega-linter: - timeout-minutes: 5 - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3.5.3 - - - uses: oxsecurity/megalinter/flavors/javascript@v7.2.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - MEGALINTER_CONFIG: .github/linters/.mega-linter.yml - GITHUB_COMMENT_REPORTER: true - GITHUB_STATUS_REPORTER: true - - - uses: actions/upload-artifact@v3.1.2 - if: ${{ success() }} || ${{ failure() }} - with: - name: mega-linter-reports - path: | - megalinter-reports - mega-linter.log - - npm-audit: - timeout-minutes: 5 - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3.5.3 - - - uses: ahmadnassri/action-dotenv@v1.0.3 - - - uses: actions/setup-node@v3.7.0 - with: - node-version: latest - - - run: npm audit - env: - NPM_CONFIG_AUDIT_LEVEL: ${{ env.NPM_CONFIG_AUDIT_LEVEL || 'critical' }} - - test-strategy: - timeout-minutes: 5 - - runs-on: ubuntu-latest - - outputs: - matrix: ${{ steps.parse.outputs.matrix }} - - steps: - - uses: actions/checkout@v3.5.3 - - id: parse - run: echo "matrix=$(jq -c . < .github/test-matrix.json)" >> "$GITHUB_OUTPUT" - - test: - needs: - - npm-audit - - test-strategy - - timeout-minutes: 5 - - name: ${{ matrix.name || format('node v{0} @ {1}', matrix.node-version, matrix.os) || 'test-step' }} - - strategy: - matrix: ${{ fromJSON(needs.test-strategy.outputs.matrix) }} - - runs-on: ${{ matrix.os }} - - steps: - - uses: actions/checkout@v3.5.3 - with: - submodules: true - - - uses: ahmadnassri/action-dotenv@v1.0.3 - - - uses: actions/setup-node@v3.7.0 - with: - node-version: ${{ matrix.node-version }} - cache: npm - - - uses: ahmadnassri/action-github-registry-npm-proxy@v4.0.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - run: npm ci - - run: npm run test:ci - - release: - needs: - - test - - metadata - - commit-lint - - mega-linter - - # only runs on main branch for non template repos - if: | - needs.metadata.outputs.repository_is_template == 'false' && - needs.metadata.outputs.repository_default_branch == github.ref_name - - timeout-minutes: 20 - - runs-on: ubuntu-latest - + main: + uses: ahmadnassri/actions/.github/workflows/push-javascript.yml@master + secrets: inherit permissions: contents: write + statuses: write packages: write - - outputs: - published: ${{ steps.release.outputs.published }} - version: ${{ steps.release.outputs.release-version }} - version-major: ${{ steps.release.outputs.release-version-major }} - version-minor: ${{ steps.release.outputs.release-version-minor }} - - steps: - - uses: actions/checkout@v3.5.3 - with: - submodules: true - - - uses: actions/setup-node@v3.7.0 - with: - cache: npm - - - run: npm ci - - - id: release - uses: ahmadnassri/action-semantic-release@v2.2.6 - with: - config: ${{ github.workspace }}/.semantic.json - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - mirror: - needs: release - - timeout-minutes: 5 - - runs-on: ubuntu-latest - - permissions: - packages: write - - if: ${{ needs.release.outputs.published == 'true' }} - - steps: - - uses: actions/checkout@v3.5.3 - with: - submodules: true - - - uses: actions/setup-node@v3.7.0 - with: - registry-url: https://npm.pkg.github.com - node-version: latest - - - name: publish to github registry - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - jq '.name = "@'"${GITHUB_REPOSITORY/node-/}"'"' package.json > /tmp/package.json; mv /tmp/package.json . - npm version --no-git-tag-version "v${{ needs.release.outputs.version }}" - npm publish - - publish-strategy: - needs: - - metadata - - timeout-minutes: 5 - - # only runs on main branch for non template repos - if: | - needs.metadata.outputs.repository_is_template == 'false' && - needs.metadata.outputs.repository_default_branch == github.ref_name - - runs-on: ubuntu-latest - - outputs: - matrix: ${{ steps.parse.outputs.matrix }} - - steps: - - uses: actions/checkout@v3.5.3 - - id: parse - run: echo "matrix=$(jq -c . < .github/publish-matrix.json)" >> "$GITHUB_OUTPUT" - - publish-docker: - needs: - - release - - metadata - - publish-strategy - - timeout-minutes: 5 - - if: | - needs.release.outputs.published == 'true' && - needs.metadata.outputs.dockerfile == 'true' - - name: ${{ format('publish to {0}', matrix.registry) || 'publish-step' }} - - strategy: - matrix: ${{ fromJSON(needs.publish-strategy.outputs.matrix) }} - - runs-on: ubuntu-latest - - permissions: - packages: write - - steps: - - uses: actions/checkout@v3.5.3 - - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 - - # login to docker hub - - uses: docker/login-action@v2 - with: - username: ${{ github.repository_owner }} - password: ${{ secrets.DOCKER_TOKEN }} - - # login to github container registry - - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - id: meta - run: | - echo "name=${{ github.repository_owner }}/$(basename "${GITHUB_REPOSITORY/node-//}")" >> "$GITHUB_OUTPUT" - - # publish - - uses: docker/build-push-action@v4 - with: - push: true - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: linux/amd64,linux/arm64,linux/arm/v7 - tags: | - ${{ matrix.registry }}/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:latest - ${{ matrix.registry }}/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:${{ needs.release.outputs.version-major }} - ${{ matrix.registry }}/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:${{ needs.release.outputs.version }} - labels: | - org.opencontainers.image.title=${{ needs.metadata.outputs.image-name }} - org.opencontainers.image.url=${{ github.event.repository.html_url }} - org.opencontainers.image.version=${{ needs.release.outputs.version }} - org.opencontainers.image.source=${{ github.event.repository.html_url }} - org.opencontainers.image.revision=${{ github.sha }} - - template-sync: - timeout-minutes: 5 - - needs: - - metadata - - test - - commit-lint - - mega-linter - - # only runs on main branch for template repos - if: | - needs.metadata.outputs.repository_is_template == 'true' && - needs.metadata.outputs.repository_default_branch == github.ref_name - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3.5.3 - - - uses: ahmadnassri/action-template-repository-sync@v2.4.6 - with: - github-token: ${{ secrets.GH_TOKEN }} + pull-requests: write