diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 82910487..43c65604 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,26 +1,29 @@ name: CI -on: [push, pull_request] +on: workflow_call +permissions: {} jobs: lint: name: Lint source files runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout steps: - name: Checkout repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v1 - - - name: Cache Node.js modules - uses: actions/cache@v2 + uses: actions/setup-node@v3 with: - path: ~/.npm - key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.OS }}-node- + cache: npm + node-version-file: '.node-version' - name: Install Dependencies - run: npm ci + run: npm ci --ignore-scripts + + - name: Lint ESLint + run: npm run lint - name: Check Types run: npm run check @@ -28,6 +31,108 @@ jobs: - name: Lint Prettier run: npm run prettier:check - - name: Build package - run: npm run build:all - shell: bash + - name: Spellcheck + run: npm run check:spelling + + - name: Lint GitHub Actions + uses: docker://rhysd/actionlint:latest + with: + args: -color + + checkForCommonlyIgnoredFiles: + name: Check for commonly ignored files + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Check if commit contains files that should be ignored + run: | + git clone --depth 1 https://github.com/github/gitignore.git + + rm gitignore/Global/ModelSim.gitignore + rm gitignore/Global/Images.gitignore + rm gitignore/Global/VirtualEnv.gitignore + cat gitignore/Node.gitignore gitignore/Global/*.gitignore > all.gitignore + + IGNORED_FILES=$(git ls-files --cached --ignored --exclude-from=all.gitignore) + if [[ "$IGNORED_FILES" != "" ]]; then + echo -e "::error::Please remove these files:\n$IGNORED_FILES" | sed -z 's/\n/%0A/g' + exit 1 + fi + + checkPackageLock: + name: Check health of package-lock.json file + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + cache: npm + node-version-file: '.node-version' + + - name: Install Dependencies + run: npm ci --ignore-scripts + + - name: Check that package-lock.json doesn't have conflicts + run: npm ls --depth 999 + + - name: Run npm install + run: npm install --ignore-scripts --force --package-lock-only --engine-strict --strict-peer-deps + + - name: Check that package-lock.json is in sync with package.json + run: git diff --exit-code package-lock.json + + codeql: + name: Run CodeQL security scan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout + security-events: write # for codeql-action + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: 'javascript, typescript' + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v2 + + buildRelease: + name: Build release + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + cache: npm + node-version-file: '.node-version' + + - name: Install Dependencies + run: npm ci --ignore-scripts + + - name: Build release + run: npm run build diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 00000000..9d189cdd --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,23 @@ +name: PullRequest +on: pull_request +permissions: {} +jobs: + ci: + permissions: + contents: read # for actions/checkout + security-events: write # for codeql-action + uses: ./.github/workflows/ci.yml + + dependency-review: + name: Security check of added dependencies + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + persist-credentials: false + + - name: Dependency review + uses: actions/dependency-review-action@v2 diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 00000000..bbcb53fc --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,9 @@ +name: Push +on: push +permissions: {} +jobs: + ci: + permissions: + contents: read # for actions/checkout + security-events: write # for codeql-action + uses: ./.github/workflows/ci.yml diff --git a/.node-version b/.node-version new file mode 100644 index 00000000..62ccda57 --- /dev/null +++ b/.node-version @@ -0,0 +1 @@ +v19 diff --git a/README.md b/README.md index 65494fc3..2312f853 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,6 @@ Because the process is running inside of the container, `--open` does not work. ```sh npm i -npm run build:all +npm run build npm run start ``` diff --git a/package.json b/package.json index 462bee1e..02e76514 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "build:typescript": "tsc", "copy:graphql": "cp src/*.graphql dist/", "copy:editor": "mkdir \"dist/editor\" && cp src/editor/*.html dist/editor && cp src/editor/*.js dist/editor && cp src/editor/*.css dist/editor && cp src/editor/*.svg dist/editor", - "build:all": "rm -rf dist && mkdir dist && npm run build:editor && npm run build:typescript && npm run copy:graphql && npm run copy:editor", + "build": "rm -rf dist && mkdir dist && npm run build:editor && npm run build:typescript && npm run copy:graphql && npm run copy:editor", "prettier": "prettier --cache --ignore-path .gitignore --write --list-different .", "prettier:check": "prettier --cache --ignore-path .gitignore --check .", "check:spelling": "cspell --cache --no-progress '**/*'"