mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 08:49:01 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
195 lines
5.4 KiB
YAML
195 lines
5.4 KiB
YAML
name: CI
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
jobs:
|
|
scan_ruby:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
|
|
with:
|
|
ruby-version: .ruby-version
|
|
bundler-cache: true
|
|
|
|
- name: Scan for security vulnerabilities in Ruby dependencies
|
|
run: bin/brakeman --no-pager
|
|
|
|
- name: Validate preview deploy workflow hardening
|
|
run: ruby bin/preview_deploy_security_check.rb
|
|
|
|
scan_js:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
|
|
with:
|
|
ruby-version: .ruby-version
|
|
bundler-cache: true
|
|
|
|
- name: Scan for security vulnerabilities in JavaScript dependencies
|
|
run: bin/importmap audit
|
|
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
|
|
with:
|
|
ruby-version: .ruby-version
|
|
bundler-cache: true
|
|
|
|
- name: Lint code for consistent style
|
|
run: bin/rubocop -f github
|
|
|
|
lint_js:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js environment
|
|
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
|
|
with:
|
|
node-version: "24"
|
|
cache: "npm"
|
|
|
|
- name: Install dependencies
|
|
run: npm install
|
|
shell: bash
|
|
|
|
- name: Lint/Format js code
|
|
run: npm run lint
|
|
|
|
test_unit:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
env:
|
|
PLAID_CLIENT_ID: foo
|
|
PLAID_SECRET: bar
|
|
DATABASE_URL: postgres://postgres:postgres@localhost:5432
|
|
REDIS_URL: redis://localhost:6379
|
|
RAILS_ENV: test
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
ports:
|
|
- 5432:5432
|
|
options: --health-cmd="pg_isready" --health-interval=10s --health-timeout=5s --health-retries=3
|
|
|
|
redis:
|
|
image: redis
|
|
ports:
|
|
- 6379:6379
|
|
options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
|
|
|
|
steps:
|
|
- name: Install packages
|
|
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libvips postgresql-client libpq-dev
|
|
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
|
|
with:
|
|
ruby-version: .ruby-version
|
|
bundler-cache: true
|
|
|
|
- name: DB setup and smoke test
|
|
run: |
|
|
bin/rails db:create
|
|
bin/rails db:schema:load
|
|
bin/rails db:seed
|
|
|
|
- name: Unit and integration tests
|
|
run: bin/rails test
|
|
|
|
test_system:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
env:
|
|
PLAID_CLIENT_ID: foo
|
|
PLAID_SECRET: bar
|
|
DATABASE_URL: postgres://postgres:postgres@localhost:5432
|
|
REDIS_URL: redis://localhost:6379
|
|
RAILS_ENV: test
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
ports:
|
|
- 5432:5432
|
|
options: --health-cmd="pg_isready" --health-interval=10s --health-timeout=5s --health-retries=3
|
|
|
|
redis:
|
|
image: redis
|
|
ports:
|
|
- 6379:6379
|
|
options: --health-cmd="redis-cli ping" --health-interval=10s --health-timeout=5s --health-retries=3
|
|
|
|
steps:
|
|
- name: Install packages
|
|
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libvips postgresql-client libpq-dev
|
|
|
|
- name: Checkout code
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
|
|
with:
|
|
ruby-version: .ruby-version
|
|
bundler-cache: true
|
|
|
|
- name: DB setup and smoke test
|
|
run: |
|
|
bin/rails db:create
|
|
bin/rails db:schema:load
|
|
bin/rails db:seed
|
|
|
|
- name: System tests
|
|
run: DISABLE_PARALLELIZATION=true bin/rails test:system
|
|
|
|
- name: Keep screenshots from failed system tests
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
if: failure()
|
|
with:
|
|
name: screenshots
|
|
path: ${{ github.workspace }}/tmp/screenshots
|
|
if-no-files-found: ignore
|