diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index d47d5a8d..340e5a6e 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -8,9 +8,24 @@ on: permissions: read-all jobs: - ci: - name: CI + check: + name: ${{ matrix.what }} runs-on: ubuntu-24.04 + strategy: + fail-fast: false + matrix: + what: + - ci + - dependencies + - formatting + - js + - json + - licenses + - lockfile + - manifest + - md + - sh + - yml steps: - name: Harden runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 @@ -29,9 +44,10 @@ jobs: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: - persist-credentials: false + persist-credentials: - name: Install tooling uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0 + if: ${{ matrix.what == "ci" || matrix.what == "sh" }} - name: Install Node.js uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -40,7 +56,9 @@ jobs: - name: Install dependencies run: npm clean-install - name: Check - run: npm run check:ci + run: npm run "check:${WHAT}" + env: + WHAT: ${{ matrix.what }} codeql: name: CodeQL runs-on: ubuntu-24.04 @@ -71,196 +89,6 @@ jobs: languages: javascript - name: Perform CodeQL analysis uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 - deps: - name: Dependencies - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check dependencies - if: ${{ failure() || success() }} - run: npm run check:dependencies - - name: Check runtime dependency versions - if: ${{ failure() || success() }} - run: node script/check-runtime-deps.js - format: - name: Formatting - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check formatting - run: npm run check:formatting - js: - name: JavaScript - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check - run: npm run check:js - json: - name: JSON - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check - run: npm run check:json - licenses: - name: Licenses - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check licenses - run: npm run check:licenses - md: - name: MarkDown - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check - run: npm run check:md odgen: name: ODGen runs-on: ubuntu-24.04 @@ -325,39 +153,6 @@ jobs: npm pack - name: Verify checksum run: shasum --check checksums.txt --strict - shell: - name: Shell scripts - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install tooling - uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0 - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check - run: npm run check:sh test-breakage: name: Breakage runs-on: ubuntu-24.04 @@ -700,34 +495,3 @@ jobs: run: npm clean-install - name: Transpile to CommonJS run: npm run transpile - yaml: - name: YAML - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Check - run: npm run check:yml diff --git a/.github/workflows/config-npm.yml b/.github/workflows/config-npm.yml deleted file mode 100644 index 34456998..00000000 --- a/.github/workflows/config-npm.yml +++ /dev/null @@ -1,80 +0,0 @@ -name: Config npm -on: - pull_request: - paths: - - .github/workflows/config-npm.yml - - package.json - - package-lock.json - push: - branches: - - main - paths: - - .github/workflows/config-npm.yml - - package.json - - package-lock.json - -permissions: read-all - -jobs: - package-json: - name: package.json - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Validate package.json - run: npm run check:manifest - package-lock-json: - name: package-lock.json - runs-on: ubuntu-24.04 - steps: - - name: Harden runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - artifactcache.actions.githubusercontent.com:443 - github.com:443 - gitlab.com:443 - nodejs.org:443 - objects.githubusercontent.com:443 - registry.npmjs.org:443 - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - with: - persist-credentials: false - - name: Install Node.js - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: npm - node-version-file: .nvmrc - - name: Install dependencies - run: npm clean-install - - name: Validate package-lock.json - run: npm run check:lockfile diff --git a/package.json b/package.json index ce05521d..544cbb33 100644 --- a/package.json +++ b/package.json @@ -104,7 +104,7 @@ "audit:vulnerabilities:runtime": "better-npm-audit audit --production", "check": "npm-run-all check:*", "check:ci": "node script/maybe-run.js actionlint", - "check:dependencies": "knip --config config/knip.jsonc", + "check:dependencies": "knip --config config/knip.jsonc && node script/check-runtime-deps.js", "check:formatting": "npm run _prettier -- --check", "check:js": "npm run _eslint -- '**/*.{cjs,js}'", "check:json": "npm run _eslint -- '**/*.{json,jsonc}'",