Tighten GITHUB_TOKEN permissions #10301
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: {} | |
merge_group: | |
types: [checks_requested] | |
push: | |
branches: [develop, master] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }} | |
permissions: {} # No permissions required | |
jobs: | |
jest: | |
name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})" | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 10 | |
strategy: | |
matrix: | |
specs: [integ, unit] | |
node: ["lts/*", 22] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
id: setupNode | |
uses: actions/setup-node@v4 | |
with: | |
cache: "yarn" | |
node-version: ${{ matrix.node }} | |
- name: Install dependencies | |
run: "yarn install" | |
- name: Get number of CPU cores | |
id: cpu-cores | |
uses: SimenB/github-actions-cpu-cores@97ba232459a8e02ff6121db9362b09661c875ab8 # v2 | |
- name: Run tests | |
run: | | |
yarn test \ | |
--coverage=${{ env.ENABLE_COVERAGE }} \ | |
--ci \ | |
--max-workers ${{ steps.cpu-cores.outputs.count }} \ | |
./spec/${{ matrix.specs }} | |
env: | |
JEST_SONAR_UNIQUE_OUTPUT_NAME: true | |
# tell jest to use coloured output | |
FORCE_COLOR: true | |
- name: Move coverage files into place | |
if: env.ENABLE_COVERAGE == 'true' | |
run: mv coverage/lcov.info coverage/${{ steps.setupNode.outputs.node-version }}-${{ matrix.specs }}.lcov.info | |
- name: Upload Artifact | |
if: env.ENABLE_COVERAGE == 'true' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-${{ matrix.specs }}-${{ matrix.node == 'lts/*' && 'lts' || matrix.node }} | |
path: | | |
coverage | |
!coverage/lcov-report | |
# Dummy completion job to simplify branch protections | |
jest-complete: | |
name: Jest tests | |
needs: jest | |
if: always() | |
runs-on: ubuntu-24.04 | |
steps: | |
- if: needs.jest.result != 'skipped' && needs.jest.result != 'success' | |
run: exit 1 | |
element-web: | |
name: Downstream test element-web | |
if: github.event_name == 'merge_group' | |
uses: element-hq/element-web/.github/workflows/tests.yml@develop | |
permissions: | |
statuses: write | |
with: | |
disable_coverage: true | |
matrix-js-sdk-sha: ${{ github.sha }} | |
complement-crypto: | |
name: "Run Complement Crypto tests" | |
if: github.event_name == 'merge_group' | |
permissions: read-all | |
uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main | |
with: | |
use_js_sdk: "." | |
# we need this so the job is reported properly when run in a merge queue | |
downstream-complement-crypto: | |
name: Downstream Complement Crypto tests | |
runs-on: ubuntu-24.04 | |
if: always() | |
needs: | |
- complement-crypto | |
steps: | |
- if: needs.complement-crypto.result != 'skipped' && needs.complement-crypto.result != 'success' | |
run: exit 1 | |
# Hook for branch protection to skip downstream testing outside of merge queues | |
# and skip sonarcloud coverage within merge queues | |
downstream: | |
name: Downstream tests | |
runs-on: ubuntu-24.04 | |
if: always() | |
needs: | |
- element-web | |
permissions: | |
statuses: write | |
steps: | |
- name: Skip SonarCloud on merge queues | |
if: env.ENABLE_COVERAGE == 'false' | |
uses: Sibz/github-status-action@071b5370da85afbb16637d6eed8524a06bc2053e # v1 | |
with: | |
authToken: ${{ secrets.GITHUB_TOKEN }} | |
state: success | |
description: SonarCloud skipped | |
context: SonarCloud Code Analysis | |
sha: ${{ github.sha }} | |
target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
- if: needs.element-web.result != 'skipped' && needs.element-web.result != 'success' | |
run: exit 1 |