test: Migrate CI to GtiHub [SDK-4450] (#1437)

auth0 · Oct 13, 2023 · 37e334b · 37e334b
2 parents 73520f8 + c6839a6
commit 37e334b
Show file tree

Hide file tree

Showing 11 changed files with 439 additions and 66 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -0,0 +1,30 @@
+name: Build package
+description: Build the SDK package
+
+inputs:
+ node:
+ description: The Node version to use
+ required: false
+ default: 18
+
+runs:
+ using: composite
+
+ steps:
+ - uses: actions/setup-node@v3
+ with:
+ node-version: ${{ inputs.node }}
+ cache: npm
+
+ - shell: bash
+ run: npm ci
+ env:
+ NODE_ENV: development
+
+ - shell: bash
+ run: npm run install:example
+ env:
+ NODE_ENV: development
+
+ - shell: bash
+ run: npm run build
diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
@@ -0,0 +1,25 @@
+name: Prepare test
+description: Prepare an SDK test
+
+inputs:
+ node:
+ description: The Node version to use
+ required: false
+ default: 18
+ cache:
+ description: The cache key identifier to use
+ required: true
+
+runs:
+ using: composite
+
+ steps:
+ - uses: actions/setup-node@v3
+ with:
+ node-version: ${{ inputs.node }}
+ cache: npm
+
+ - uses: actions/cache/restore@v3
+ with:
+ path: .
+ key: ${{ inputs.cache }}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,9 +1,14 @@
 version: 2
 updates:
- - package-ecosystem: "npm" 
- directory: "/" 
+ - package-ecosystem: "npm"
+ directory: "/"
  schedule:
  interval: "daily"
  ignore:
  - dependency-name: "*"
  update-types: ["version-update:semver-major"]
+
+ - package-ecosystem: 'github-actions'
+ directory: '/'
+ schedule:
+ interval: 'daily'
diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml
@@ -0,0 +1,57 @@
+name: Browserstack
+
+on:
+ merge_group:
+ workflow_dispatch:
+ pull_request:
+ types:
+ - opened
+ - synchronize
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+env:
+ NODE_VERSION: 18
+ CACHE_KEY: '${{ github.event.pull_request.head.sha || github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}'
+
+jobs:
+ authorize:
+ name: Authorize
+ environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+ runs-on: ubuntu-latest
+ steps:
+ - run: true
+
+ browserstack:
+ needs: authorize # Require approval before running on forked pull requests
+
+ name: Run Tests
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+ - uses: ./.github/actions/build
+ with:
+ node: ${{ env.NODE_VERSION }}
+
+ - shell: bash
+ run: npm i --prefix=example-app --no-package-lock
+ env:
+ NODE_ENV: development
+
+ - shell: bash
+ run: npx start-server-and-test "start:example-local" http:https://localhost:3000 "browserstack-cypress run --build-name ${{ github.event.pull_request.head.sha || github.ref }} --no-wrap"
+ env:
+ BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
+ BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,53 @@
+name: CodeQL
+
+on:
+ merge_group:
+ pull_request:
+ types:
+ - opened
+ - synchronize
+ push:
+ branches:
+ - main
+ schedule:
+ - cron: '37 10 * * 2'
+
+permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+ analyze:
+ name: Check for Vulnerabilities
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [javascript]
+
+ steps:
+ - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+ run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+ queries: +security-and-quality
+
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v2
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: '/language:${{ matrix.language }}'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,110 @@
+name: Publish Release
+
+on:
+ workflow_dispatch:
+ inputs:
+ branch:
+ description: The branch to release from
+ required: true
+ default: main
+ version:
+ description: The version being published. This should be a valid semver version, such as `1.0.0`.
+ required: true
+ default: ''
+ type: string
+ dry-run:
+ type: boolean
+ description: Perform a publishing dry run. This will not publish the release, but will validate the release and log the commands that would be run.
+ default: false
+
+permissions:
+ contents: read
+ id-token: write # For publishing to NPM with provenance. Allows developers to run `npm audit signatures` and verify release signature of SDK. @see https://github.blog/2023-04-19-introducing-npm-package-provenance/
+ packages: write # For cross-publishing to GitHub Packages registry.
+
+env:
+ NODE_VERSION: 18
+ NODE_ENV: development
+
+jobs:
+ configure:
+ name: Validate input parameters
+ runs-on: ubuntu-latest
+
+ outputs:
+ vtag: ${{ steps.vtag.outputs.vtag }} # The fully constructed release tag to use for publishing
+ dry-run: ${{ steps.dry-run.outputs.dry-run }} # The dry-run flag to use for publishing, if applicable
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ ref: ${{ github.event.inputs.branch }}
+
+ # Configure for dry-run, if applicable. @see https://docs.npmjs.com/cli/v9/commands/npm-publish#dry-run
+ - id: dry-run
+ if: ${{ github.event.inputs.dry-run == 'true' }}
+ name: Configure for `--dry-run`
+ run: |
+ echo "dry-run=--dry-run" >> $GITHUB_ENV
+ echo "dry-run=--dry-run" >> $GITHUB_OUTPUT
+
+ # Build the tag string from package.json version and release suffix. Produces something like `1.0.0-beta.1` for a beta, or `1.0.0` for a stable release.
+ - name: Build tag
+ id: vtag
+ run: |
+ PACKAGE_VERSION="${{ github.event.inputs.version }}"
+ echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_ENV
+ echo "vtag=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
+
+ # Ensure tag does not already exist.
+ - name: Validate version
+ uses: actions/github-script@v6
+ env:
+ vtag: ${{ env.vtag }}
+ with:
+ script: |
+ const releaseMeta = github.rest.repos.listReleases.endpoint.merge({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ });
+
+ const releases = await github.paginate(releaseMeta);
+
+ for (const release of releases) {
+ if (release.name === process.env.vtag) {
+ throw new Error(`${process.env.vtag} already exists`);
+ }
+ }
+
+ console.log(`${process.env.vtag} does not exist. Proceeding with release.`)
+
+ publish-npm:
+ needs: configure
+
+ name: Publish to NPM
+ runs-on: ubuntu-latest
+ environment: 'release'
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ ref: ${{ github.event.inputs.branch }}
+
+ - name: Setup Node
+ uses: actions/setup-node@v3
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+ cache: npm
+ registry-url: 'https://registry.npmjs.org'
+
+ - name: Install dependencies
+ run: npm ci
+
+ - name: Publish release to NPM
+ run: npm publish --provenance --tag ${{ needs.configure.outputs.vtag }} ${{ needs.configure.outputs.dry-run }}
+ env:
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}