Merge pull request #40 from mnaimfaizy/dependabot/npm_and_yarn/npm-de… #115
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| permissions: | |
| contents: read | |
| jobs: | |
| dependency-review: | |
| name: Dependency Review | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check dependency review API availability | |
| id: dependency-review-availability | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| REPOSITORY: ${{ github.repository }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| response_file="$(mktemp)" | |
| status_code="$(curl --silent --output "$response_file" --write-out '%{http_code}' \ | |
| -H "Authorization: Bearer ${GITHUB_TOKEN}" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| "https://api.github.com/repos/${REPOSITORY}/dependency-graph/compare/${BASE_SHA}...${HEAD_SHA}")" | |
| if [ "$status_code" = "200" ]; then | |
| echo "supported=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| if [ "$status_code" = "403" ] || [ "$status_code" = "404" ]; then | |
| echo "supported=false" >> "$GITHUB_OUTPUT" | |
| echo "status_code=$status_code" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| cat "$response_file" | |
| echo "Unexpected dependency review API response: $status_code" >&2 | |
| exit 1 | |
| - name: Checkout code | |
| if: steps.dependency-review-availability.outputs.supported == 'true' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Review dependency changes | |
| if: steps.dependency-review-availability.outputs.supported == 'true' | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| fail-on-severity: moderate | |
| fail-on-scopes: development, runtime, unknown | |
| - name: Explain skipped dependency review | |
| if: steps.dependency-review-availability.outputs.supported != 'true' | |
| run: | | |
| echo "::warning title=Dependency review skipped::GitHub dependency review is unavailable for this repository. Enable Dependency graph in repository settings to re-enable this check." | |
| { | |
| echo "## Dependency review skipped" | |
| echo | |
| echo "GitHub's dependency review API returned HTTP ${STATUS_CODE:-unknown} for this repository." | |
| echo | |
| echo "Enable Dependency graph in repository settings to re-enable actions/dependency-review-action." | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| env: | |
| STATUS_CODE: ${{ steps.dependency-review-availability.outputs.status_code }} | |
| secure-install-review: | |
| name: Secure Install Review | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependency metadata without scripts | |
| run: npm ci --ignore-scripts | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Run npm audit | |
| run: npm audit --audit-level=high | |
| setup: | |
| name: Setup Dependencies | |
| runs-on: ubuntu-latest | |
| outputs: | |
| cache-hit: ${{ steps.cache-node-modules.outputs.cache-hit }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Cache node modules | |
| id: cache-node-modules | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-node- | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| lint: | |
| name: Lint Code | |
| runs-on: ubuntu-latest | |
| needs: [setup, secure-install-review] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Run linter | |
| run: npm run lint | |
| type-check: | |
| name: Type Check | |
| runs-on: ubuntu-latest | |
| needs: [setup, secure-install-review] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Run type-check | |
| run: npx tsc --noEmit | |
| test: | |
| name: Run Tests | |
| runs-on: ubuntu-latest | |
| needs: [setup, secure-install-review] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Run tests | |
| run: npm run test:run | |
| - name: Generate coverage report | |
| run: npm run test:coverage | |
| continue-on-error: true | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4 | |
| with: | |
| files: ./coverage/coverage-final.json | |
| fail_ci_if_error: false | |
| continue-on-error: true | |
| build: | |
| name: Build Application | |
| runs-on: ubuntu-latest | |
| needs: [lint, type-check, test, secure-install-review] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Build application | |
| run: npm run build | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: dist | |
| path: dist/ | |
| retention-days: 7 | |
| performance: | |
| name: Performance Check | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| - name: Restore cached dependencies | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify frozen lockfile | |
| run: git diff --exit-code -- package-lock.json | |
| - name: Build application | |
| run: npm run build | |
| - name: Run Lighthouse CI | |
| uses: treosh/lighthouse-ci-action@512cc908a55bfb0ad231facca52adf3d3a651df4 # v12 | |
| with: | |
| urls: | | |
| http://localhost:4173 | |
| uploadArtifacts: true | |
| temporaryPublicStorage: true | |
| continue-on-error: true |