Merge pull request #2636 from github/update-bundle/codeql-bundle-v2.20.0 #9345
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Checks | |
on: | |
push: | |
pull_request: | |
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened | |
# by other workflows. | |
types: [opened, synchronize, reopened, ready_for_review] | |
workflow_dispatch: | |
jobs: | |
check-js: | |
name: Check JS | |
runs-on: ubuntu-latest | |
timeout-minutes: 45 | |
permissions: | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
node-types-version: [16.11, current] # run tests on 16.11 while CodeQL Action v2 is still supported | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Lint | |
id: lint | |
run: npm run-script lint-ci | |
- name: Upload sarif | |
uses: github/codeql-action/upload-sarif@v3 | |
# Only upload SARIF for the latest version of Node.js | |
if: "!cancelled() && matrix.node-types-version == 'current' && !startsWith(github.head_ref, 'dependabot/')" | |
with: | |
sarif_file: eslint.sarif | |
category: eslint | |
- name: Update version of @types/node | |
if: matrix.node-types-version != 'current' | |
env: | |
NODE_TYPES_VERSION: ${{ matrix.node-types-version }} | |
run: | | |
# Export `NODE_TYPES_VERSION` so it's available to jq | |
export NODE_TYPES_VERSION="${NODE_TYPES_VERSION}" | |
contents=$(jq '.devDependencies."@types/node" = env.NODE_TYPES_VERSION' package.json) | |
echo "${contents}" > package.json | |
# Usually we run `npm install` on macOS to ensure that we pick up macOS-only dependencies. | |
# However we're not checking in the updated lockfile here, so it's fine to run | |
# `npm install` on Linux. | |
npm install | |
if [ ! -z "$(git status --porcelain)" ]; then | |
git config --global user.email "[email protected]" | |
git config --global user.name "github-actions[bot]" | |
# The period in `git add --all .` ensures that we stage deleted files too. | |
git add --all . | |
git commit -m "Use @types/node=${NODE_TYPES_VERSION}" | |
fi | |
- name: Check generated JS | |
run: .github/workflows/script/check-js.sh | |
check-node-modules: | |
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') | |
name: Check modules up to date | |
runs-on: macos-latest | |
timeout-minutes: 45 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Check node modules up to date | |
run: .github/workflows/script/check-node-modules.sh | |
check-file-contents: | |
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') | |
name: Check file contents | |
runs-on: ubuntu-latest | |
timeout-minutes: 45 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.11 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
# When updating this, update the autogenerated code header in `sync.py` too. | |
pip install ruamel.yaml==0.17.31 | |
# Ensure the generated PR check workflows are up to date. | |
- name: Verify PR checks up to date | |
run: .github/workflows/script/verify-pr-checks.sh | |
npm-test: | |
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') | |
name: Unit Test | |
needs: [check-js, check-node-modules] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 45 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: npm test | |
run: | | |
# Run any commands referenced in package.json using Bash, otherwise | |
# we won't be able to find them on Windows. | |
npm config set script-shell bash | |
npm test | |
check-node-version: | |
if: github.event.pull_request | |
name: Check Action Node versions | |
runs-on: ubuntu-latest | |
timeout-minutes: 45 | |
env: | |
BASE_REF: ${{ github.base_ref }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: head-version | |
name: Verify all Actions use the same Node version | |
run: | | |
NODE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq) | |
echo "NODE_VERSION: ${NODE_VERSION}" | |
if [[ $(echo "$NODE_VERSION" | wc -l) -gt 1 ]]; then | |
echo "::error::More than one node version used in 'action.yml' files." | |
exit 1 | |
fi | |
echo "node_version=${NODE_VERSION}" >> $GITHUB_OUTPUT | |
- id: checkout-base | |
name: 'Backport: Check out base ref' | |
if: ${{ startsWith(github.head_ref, 'backport-') }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ env.BASE_REF }} | |
- name: 'Backport: Verify Node versions unchanged' | |
if: steps.checkout-base.outcome == 'success' | |
env: | |
HEAD_VERSION: ${{ steps.head-version.outputs.node_version }} | |
run: | | |
BASE_VERSION=$(find . -name "action.yml" -exec yq -e '.runs.using' {} \; | grep node | sort | uniq) | |
echo "HEAD_VERSION: ${HEAD_VERSION}" | |
echo "BASE_VERSION: ${BASE_VERSION}" | |
if [[ "$BASE_VERSION" != "$HEAD_VERSION" ]]; then | |
echo "::error::Cannot change the Node version of an Action in a backport PR." | |
exit 1 | |
fi |