diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 63f2305ff154..0573b37dddb4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,19 +15,73 @@ env: NODE_OPTIONS: --max_old_space_size=6144 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: {} + jobs: + dedupe: + name: Deduplicate dependencies + if: | + github.actor == 'steverep' && + startsWith(github.head_ref, 'dependabot/npm_and_yarn/') + permissions: + contents: write + runs-on: ubuntu-latest + outputs: + sha: ${{ steps.get-sha.outputs.sha }} + steps: + - name: Check out files from GitHub + uses: actions/checkout@v3 + with: + # Checkout PR head instead of merge commit + ref: ${{ github.event.pull_request.head.ref }} + - name: Set up Node ${{ env.NODE_VERSION }} + uses: actions/setup-node@v3 + with: + node-version: ${{ env.NODE_VERSION }} + # cache: yarn + - name: Install dependencies + # Do not run build scripts as a security measure since job has write permissions + run: yarn install --immutable --mode=skip-build + env: + CI: true + - name: Deduplicate dependencies + run: yarn dedupe --mode=skip-build + - name: Commit changes + run: | + git config user.name "GitHub Action" + git config user.email "github-action@users.noreply.github.com" + git add yarn.lock + git commit -m "Deduplicate dependencies" || exit 0 + git push origin HEAD:${{ github.head_ref }} + - name: Checkout updated merge commit + uses: actions/checkout@v3 + with: + ref: ${{ github.ref }} + # clean: false + - name: Output updated SHA + id: get-sha + # Note this will be the same as GITHUB_SHA if no commit occurs + run: | + echo sha=`git log -1 --format="%H"` >> $GITHUB_OUTPUT + echo $GITHUB_SHA lint: + name: Lint and check format + needs: dedupe + # Allow deduplication to be skipped + if: ${{ !failure() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3 + with: + ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install + run: yarn install --immutable env: CI: true - name: Build resources @@ -41,6 +95,10 @@ jobs: - name: Check for duplicate dependencies run: yarn dedupe --check test: + name: Run tests + needs: dedupe + # Allow deduplication to be skipped + if: ${{ !failure() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub @@ -51,7 +109,7 @@ jobs: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install + run: yarn install --immutable env: CI: true - name: Build resources @@ -59,6 +117,7 @@ jobs: - name: Run Tests run: yarn run test build: + name: Build frontend runs-on: ubuntu-latest needs: [lint, test] steps: @@ -70,7 +129,7 @@ jobs: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install + run: yarn install --immutable env: CI: true - name: Build Application @@ -78,6 +137,7 @@ jobs: env: IS_TEST: "true" supervisor: + name: Build supervisor runs-on: ubuntu-latest needs: [lint, test] steps: @@ -89,7 +149,7 @@ jobs: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install + run: yarn install --immutable env: CI: true - name: Build Application