Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci(GHA): Improve handling of PRs from forks #3228

Merged
merged 6 commits into from
Apr 13, 2022
Merged

ci(GHA): Improve handling of PRs from forks #3228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
42c1fb4
ci(GHA): Update all actions to latest versions
jpveooys Apr 6, 2022
14b13e2
ci(GHA): Reformat all workflows
jpveooys Apr 6, 2022
3f3e6db
ci(GHA): Remove use of secret in cache keys
jpveooys Apr 7, 2022
5a5d463
ci(GHA): Skip SonarCloud scan on PRs from forks
jpveooys Apr 7, 2022
49b1df8
ci(GHA): Add GitHub code scanning
jpveooys Apr 7, 2022
6bd055c
ci(GHA): Handle Chromatic builds in PRs from forks
jpveooys Apr 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 0 additions & 45 deletions .github/workflows/automerge.yml
View file
Open in desktop

This file was deleted.

78 changes: 39 additions & 39 deletions .github/workflows/branch_deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,42 +13,42 @@ jobs:
env:
PREVIEW_URL: https://deploy-preview--infallible-goldstine-0b7659.netlify.app
steps:
- name: Git clone repository
uses: actions/checkout@v2

- name: Fetch all commits
run: git fetch --all

- name: Remove deploy preview branch if it exists
run: |
result=$((git branch --all) 2>&1)
if [[ `echo $result` == *"deploy/preview"* ]];
then
git push origin --delete deploy/preview;
else
echo "deploy/preview branch does not exist";
fi

- name: Checkout preview branch
run: |
git checkout ${{ github.event.inputs.preview_branch }}
git fetch
git checkout -b deploy/preview
git fetch

- name: Merge into deploy/preview branch
run: |
git merge ${{ github.event.inputs.preview_branch }}

- name: Push deploy_preview branch
run: |
git push origin deploy/preview

- name: Deploy preview branch
run: |
curl -X POST -d {} ${{ secrets.BRANCH_DEPLOY_TOKEN }}

- name: Check deployment
run: |
timeout 900 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' ${PREVIEW_URL})" != "200" ]]; do sleep 30; done' || false
echo "The branch is deployed & ready to preview - ${PREVIEW_URL}"
- name: Git clone repository
uses: actions/checkout@v3

- name: Fetch all commits
run: git fetch --all

- name: Remove deploy preview branch if it exists
run: |
result=$((git branch --all) 2>&1)
if [[ `echo $result` == *"deploy/preview"* ]];
then
git push origin --delete deploy/preview;
else
echo "deploy/preview branch does not exist";
fi

- name: Checkout preview branch
run: |
git checkout ${{ github.event.inputs.preview_branch }}
git fetch
git checkout -b deploy/preview
git fetch

- name: Merge into deploy/preview branch
run: |
git merge ${{ github.event.inputs.preview_branch }}

- name: Push deploy_preview branch
run: |
git push origin deploy/preview

- name: Deploy preview branch
run: |
curl -X POST -d {} ${{ secrets.BRANCH_DEPLOY_TOKEN }}

- name: Check deployment
run: |
timeout 900 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' ${PREVIEW_URL})" != "200" ]]; do sleep 30; done' || false
echo "The branch is deployed & ready to preview - ${PREVIEW_URL}"
90 changes: 51 additions & 39 deletions .github/workflows/build_and_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}
Copy link
Collaborator

@m7kvqbe1 m7kvqbe1 Apr 12, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the reason for that CACHE_VERSION secret?

Was it there as a bit of a hack to manually invalidate the cache?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's probably the main reason. The other possibility is changing it after e.g. a Node.js upgrade.

We could keep it in but it won't work for forks or Dependabot. We could also just append e.g. v1 to the cache key and change it in the workflow if a problem came up.

It seems like some APIs to manage the cache may be coming later in the year as well: actions/cache#2 (comment)


- name: Cache Cypress binary
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: ~/.cache/Cypress
key: cypress-${{ runner.os }}-cypress-${{ hashFiles('**/yarn.lock') }}
Expand All @@ -43,7 +43,7 @@ jobs:
tar -czvf dist.tar.gz distil distdt

- name: Persist artifacts
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: dist
path: ./dist.tar.gz
Expand All @@ -52,7 +52,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Run audit
run: yarn run audit
Expand All @@ -63,13 +63,13 @@ jobs:
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: check commits
run: |
Expand All @@ -80,13 +80,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Get dependencies & run lint
run: |
Expand All @@ -98,16 +98,16 @@ jobs:
needs: [Build_icon_library, Lint_react-component-library]
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Attach workspace
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: dist

Expand All @@ -121,7 +121,7 @@ jobs:

- name: SonarCloud Scan
uses: defencedigital/design-system-sonarcloud-action@master
if: ${{ github.actor != 'dependabot[bot]' }}
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Expand All @@ -134,24 +134,24 @@ jobs:
browser: ['chrome', 'firefox']
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Cache Cypress binary
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: ~/.cache/Cypress
key: cypress-${{ runner.os }}-cypress-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
cypress-${{ runner.os }}-cypress-

- name: Attach workspace
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: dist

Expand Down Expand Up @@ -183,16 +183,16 @@ jobs:
needs: [Build_icon_library, Lint_react-component-library]
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Attach workspace
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: dist

Expand All @@ -206,42 +206,54 @@ jobs:
needs: [Build_icon_library]
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Jest design-tokens
run: |
yarn --cwd packages/design-tokens build
yarn --cwd packages/design-tokens test

Test_visual_regression:
# See post_built_and_test.yml for details about how this is used
Build_storybook:
runs-on: ubuntu-latest
needs: [Build_icon_library, Test_react-component-library]
# https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
if: ${{ github.actor != 'dependabot[bot]' }}
needs: [Build_icon_library]
steps:
- name: Git clone repository
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Cache Node modules
uses: actions/cache@v2
uses: actions/cache@v3
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/yarn.lock') }}
key: ${{ runner.os }}-node-modules-${{ hashFiles('**/yarn.lock') }}

- name: Attach workspace
uses: actions/download-artifact@v2
uses: actions/download-artifact@v3
with:
name: dist

- name: Run visual regression tests
- name: Build Storybook
env:
CHROMATIC_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
CHROMATIC_BRANCH: ${{ github.head_ref || github.ref_name }}
CHROMATIC_SLUG: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
run: |
tar -xzf dist.tar.gz && mv distil packages/icon-library/dist && mv distdt packages/design-tokens/dist
yarn --cwd packages/react-component-library chromatic --project-token=${{secrets.CHROMATIC_TOKEN}} --ci
yarn --cwd packages/react-component-library storybook:static
echo "$CHROMATIC_SHA" > packages/react-component-library/.static_storybook/sha
echo "$CHROMATIC_BRANCH" > packages/react-component-library/.static_storybook/branch
echo "$CHROMATIC_SLUG" > packages/react-component-library/.static_storybook/slug

- name: Upload Storybook artefact
uses: actions/upload-artifact@v3
with:
name: storybook-static
path: packages/react-component-library/.static_storybook
38 changes: 38 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: 'CodeQL security scan'

on:
push:
branches: [master]
pull_request:
branches: [master]
schedule:
- cron: '16 9 * * 5'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ['typescript']

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v2
Loading