[StepSecurity] Apply security best practices #361
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
permissions: | |
contents: write | |
checks: write | |
pull-requests: read | |
jobs: | |
build-ui: | |
name: Build Web UI | |
uses: ./.github/workflows/build-webui.yml | |
secrets: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
tests_ui: | |
name: Tests on UI | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
with: | |
fetch-depth: 0 | |
- name: Set up Node.js | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: '21' | |
- name: Set up pnpm | |
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 | |
with: | |
standalone: true | |
package_json_file: 'ui/package.json' | |
version: latest | |
- name: Get pnpm store directory | |
shell: bash | |
run: | | |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-store- | |
- name: Install dependencies | |
working-directory: ./ui | |
run: pnpm install | |
- name: Run tests | |
working-directory: ./ui | |
run: pnpm test | |
- name: Upload coverage | |
if: ${{ !cancelled() }} | |
uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
flags: ui | |
name: Web UI tests | |
directory: ./ui | |
verbose: true | |
- name: Upload test results to Codecov | |
if: ${{ !cancelled() }} | |
uses: codecov/test-results-action@1b5b448b98e58ba90d1a1a1d9fcb72ca2263be46 # v1.0.0 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
name: Web UI tests | |
flags: ui | |
file: ./ui/test-results.xml | |
verbose: true | |
tests: | |
name: Tests | |
needs: build-ui | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, windows-latest, macos-13, macos-14 ] | |
test: [ unit, integration-example, integration-real ] | |
include: | |
- test: unit | |
test_type: unit | |
- test: integration-example | |
test_type: integration | |
- test: integration-real | |
test_type: integration | |
fail-fast: false | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
with: | |
fetch-depth: 0 | |
- name: Setup Go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
go-version-file: "go.mod" | |
cache: true | |
check-latest: true | |
- name: Setup Go global dependencies | |
run: go install github.com/jstemmer/go-junit-report/v2@latest | |
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
with: | |
python-version: '3.12.3' | |
check-latest: true | |
cache: 'pip' | |
cache-dependency-path: 'scripts/requirements.txt' | |
- name: Add python dependencies | |
run: | | |
pip install -r scripts/requirements.txt | |
- name: Download UI file | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: ui | |
- name: Move UI file | |
run: mv index.html internal/webui/index.html | |
- name: Cache test binaries | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: scripts/bins | |
key: testbins-${{ hashFiles('scripts/binaries.csv') }}-${{ matrix.test }} | |
enableCrossOsArchive: true | |
- name: Download deps | |
run: go mod download | |
- name: Run tests | |
run: python scripts/tests.py --${{ matrix.test }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload coverage | |
uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 | |
if: ${{ !cancelled() }} | |
with: | |
disable_search: true | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: ${{ matrix.test_type }}.profile | |
flags: ${{ matrix.test_type }} | |
verbose: true | |
- name: Upload test results to Codecov | |
if: ${{ !cancelled() && matrix.test_type == 'unit' }} | |
uses: codecov/test-results-action@1b5b448b98e58ba90d1a1a1d9fcb72ca2263be46 # v1.0.0 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
name: ${{ matrix.os }} unit tests | |
flags: ${{ matrix.os }}-unit | |
files: unit.xml,unit_embed.xml | |
verbose: true | |
- name: Upload results | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
if: ${{ !cancelled() }} | |
with: | |
name: ${{ matrix.os }}-${{ matrix.test }}-results | |
path: results/ | |
merge: | |
name: Merge results | |
needs: tests | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, windows-latest, macos-13, macos-14 ] | |
steps: | |
- name: Merge | |
uses: actions/upload-artifact/merge@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: ${{ matrix.os }}-results | |
compression-level: '9' | |
pattern: ${{ matrix.os }}-*-results | |
delete-merged: true | |
retention-days: 7 | |