From 83fe742b19a5d948e552fd5035f96b2e816196d4 Mon Sep 17 00:00:00 2001 From: Justin Linn Date: Sat, 21 Jun 2025 19:57:45 -0400 Subject: [PATCH] feat(ci): Add suncoast-innovation-guild/action-setup ci (#1) * feat(ci): Add suncoast-innovation-guild/action-setup ci * feat(ci): Add PR ci checks * fix(ci): Fix CI checks * fix(ci): Fix CI checks, node 16 * fix(ci): Fix CI checks, pnpm 10 --- .github/dependabot.yml | 5 ++ .github/workflows/build-and-test.yml | 52 +++++++++++++ .github/workflows/pr-check.yml | 106 +++++++++++++++++++++++++++ .github/workflows/security.yml | 42 +++++++++++ .github/workflows/test.yaml | 4 +- .github/workflows/upstream-sync.yml | 56 ++++++++++++++ package.json | 2 +- pnpm-lock.yaml | 12 +-- 8 files changed, 270 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/build-and-test.yml create mode 100644 .github/workflows/pr-check.yml create mode 100644 .github/workflows/security.yml create mode 100644 .github/workflows/upstream-sync.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7b500f3..774051b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,3 +5,8 @@ updates: schedule: interval: weekly open-pull-requests-limit: 10 + - package-ecosystem: npm + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml new file mode 100644 index 0000000..96aea3b --- /dev/null +++ b/.github/workflows/build-and-test.yml @@ -0,0 +1,52 @@ +name: Build and Test + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: ./ + with: + version: 9 + + - name: Install dependencies + run: pnpm install + + - name: Build + run: pnpm run build + + - name: Check if dist is up to date + run: | + if [ -n "$(git status --porcelain dist/)" ]; then + echo "::error::Distribution files are not up to date. Please run 'pnpm run build' and commit the changes." + exit 1 + fi + + test: + needs: build + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Test action + uses: ./ + with: + version: 9 + + - name: Verify installation + run: | + which pnpm + pnpm --version \ No newline at end of file diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml new file mode 100644 index 0000000..fedccf4 --- /dev/null +++ b/.github/workflows/pr-check.yml @@ -0,0 +1,106 @@ +name: PR Check + +on: + pull_request: + branches: [ master ] + types: [opened, synchronize, reopened, ready_for_review] + +jobs: + pr-validation: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: ./ + with: + version: 9 + + - name: Install dependencies + run: pnpm install + + - name: Build + run: pnpm run build + + - name: Check if dist is up to date + run: | + if [ -n "$(git status --porcelain dist/)" ]; then + echo "::error::Distribution files are not up to date. Please run 'pnpm run build' and commit the changes." + exit 1 + fi + + test-matrix: + if: github.event.pull_request.draft == false + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + pnpm: [9.15.5] + os: [ubuntu-latest, macos-latest, windows-latest] + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Test action + uses: ./ + with: + version: ${{ matrix.pnpm }} + + - name: Verify installation + run: | + which pnpm + pnpm --version + + - name: Test install functionality + run: pnpm install + + security-check: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: ./ + with: + version: 9 + + - name: Security audit + run: pnpm audit --audit-level moderate + + lint-and-format: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: ./ + with: + version: 9 + + - name: Install dependencies + run: pnpm install + + - name: Check TypeScript + run: npx tsc --noEmit + + - name: Verify action.yml syntax + run: | + if ! command -v yq &> /dev/null; then + sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 + sudo chmod +x /usr/local/bin/yq + fi + yq eval action.yml > /dev/null + + all-checks: + if: github.event.pull_request.draft == false + needs: [pr-validation, test-matrix, security-check, lint-and-format] + runs-on: ubuntu-latest + steps: + - name: All checks passed + run: echo "✅ All PR checks passed successfully" \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..150a877 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,42 @@ +name: Security Checks + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '0 0 * * 0' # Weekly on Sunday + +jobs: + security-audit: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: ./ + with: + version: 9 + + - name: Security audit + run: pnpm audit --audit-level high + + codeql: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 \ No newline at end of file diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 07bd9ba..8b2147e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -94,8 +94,8 @@ jobs: - name: install Node.js uses: actions/setup-node@v4 with: - # pnpm@7.0.0 is not compatible with Node.js 12 - node-version: 12.22.12 + # Use Node.js 16 - has ARM64 support and works with pnpm standalone tests + node-version: 16 - name: 'Test: which (pnpm)' run: which pnpm diff --git a/.github/workflows/upstream-sync.yml b/.github/workflows/upstream-sync.yml new file mode 100644 index 0000000..59a56f2 --- /dev/null +++ b/.github/workflows/upstream-sync.yml @@ -0,0 +1,56 @@ +name: Sync with Upstream + +on: + schedule: + - cron: '0 2 * * 1' # Weekly on Monday at 2 AM + workflow_dispatch: + +jobs: + check-upstream: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Add upstream remote + run: | + git remote add upstream https://github.com/pnpm/action-setup.git || true + git fetch upstream + + - name: Check for updates + id: check + run: | + UPSTREAM_COMMITS=$(git rev-list HEAD..upstream/master --count) + echo "commits_behind=$UPSTREAM_COMMITS" >> $GITHUB_OUTPUT + + if [ "$UPSTREAM_COMMITS" -gt 0 ]; then + echo "need_sync=true" >> $GITHUB_OUTPUT + echo "Found $UPSTREAM_COMMITS new commits in upstream" + else + echo "need_sync=false" >> $GITHUB_OUTPUT + echo "Fork is up to date" + fi + + - name: Create sync issue + if: steps.check.outputs.need_sync == 'true' + uses: actions/github-script@v7 + with: + script: | + const { data: issues } = await github.rest.issues.listForRepo({ + owner: context.repo.owner, + repo: context.repo.repo, + labels: 'upstream-sync', + state: 'open' + }); + + if (issues.length === 0) { + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: 'Upstream sync required', + body: `The upstream repository has ${{ steps.check.outputs.commits_behind }} new commits that need to be reviewed and potentially merged.\n\nPlease review the changes and manually merge if appropriate:\n\n\`\`\`bash\ngit fetch upstream\ngit log HEAD..upstream/master --oneline\n# Review changes, then merge if safe\ngit merge upstream/master\n\`\`\``, + labels: ['upstream-sync', 'maintenance'] + }); + } \ No newline at end of file diff --git a/package.json b/package.json index 31c3921..7a13d76 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ }, "devDependencies": { "@vercel/ncc": "^0.38.1", - "pnpm": "^8.14.3", + "pnpm": "^10.0.0", "typescript": "^5.3.3" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index be21d4e..e4fb57b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -34,8 +34,8 @@ importers: specifier: ^0.38.1 version: 0.38.3 pnpm: - specifier: ^8.14.3 - version: 8.15.9 + specifier: ^10.0.0 + version: 10.12.1 typescript: specifier: ^5.3.3 version: 5.7.3 @@ -102,9 +102,9 @@ packages: resolution: {integrity: sha512-1Y1A//QUXEZK7YKz+rD9WydcE1+EuPr6ZBgKecAB8tmoW6UFv0NREVJe1p+jRxtThkcbbKkfwIbWJe/IeE6m2Q==} engines: {node: '>=0.10.0'} - pnpm@8.15.9: - resolution: {integrity: sha512-SZQ0ydj90aJ5Tr9FUrOyXApjOrzuW7Fee13pDzL0e1E6ypjNXP0AHDHw20VLw4BO3M1XhQHkyik6aBYWa72fgQ==} - engines: {node: '>=16.14'} + pnpm@10.12.1: + resolution: {integrity: sha512-8N2oWA8O6UgcXHmh2Se5Fk8sR46QmSrSaLuyRlpzaYQ5HWMz0sMnkTV4soBK8zR0ylVLopwEqLEwYKcXZ1rjrA==} + engines: {node: '>=18.12'} hasBin: true tunnel@0.0.6: @@ -187,7 +187,7 @@ snapshots: parse-passwd@1.0.0: {} - pnpm@8.15.9: {} + pnpm@10.12.1: {} tunnel@0.0.6: {}