ci: apply OSSF Scorecard security best practices #68
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| - pull_request | |
| - push | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| permissions: | |
| checks: write # for coverallsapp/github-action to create new checks | |
| contents: read # for actions/checkout to fetch code | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| name: | |
| - Node.js 0.10 | |
| - Node.js 0.12 | |
| - Node.js 4.x | |
| - Node.js 6.x | |
| - Node.js 8.x | |
| - Node.js 10.x | |
| - Node.js 12.x | |
| - Node.js 14.x | |
| - Node.js 16.x | |
| - Node.js 18.x | |
| - Node.js 20.x | |
| include: | |
| - name: Node.js 0.10 | |
| node-version: "0.10" | |
| npm-i: [email protected] [email protected] [email protected] | |
| - name: Node.js 0.12 | |
| node-version: "0.12" | |
| npm-i: [email protected] [email protected] [email protected] | |
| - name: Node.js 4.x | |
| node-version: "4.9" | |
| npm-i: [email protected] [email protected] | |
| - name: Node.js 6.x | |
| node-version: "6.17" | |
| npm-i: [email protected] [email protected] | |
| - name: Node.js 8.x | |
| node-version: "8.17" | |
| npm-i: [email protected] | |
| - name: Node.js 10.x | |
| node-version: "10.24" | |
| npm-i: [email protected] | |
| - name: Node.js 12.x | |
| node-version: "12.22" | |
| npm-i: [email protected] | |
| - name: Node.js 14.x | |
| node-version: "14.21" | |
| - name: Node.js 16.x | |
| node-version: "16.20" | |
| - name: Node.js 18.x | |
| node-version: "18.16" | |
| - name: Node.js 20.x | |
| node-version: "20.2" | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
| - name: Install Node.js ${{ matrix.node-version }} | |
| shell: bash -eo pipefail -l {0} | |
| run: | | |
| nvm install --default ${{ matrix.node-version }} | |
| dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" | |
| - name: Configure npm | |
| run: | | |
| if [[ "$(npm config get package-lock)" == "true" ]]; then | |
| npm config set package-lock false | |
| else | |
| npm config set shrinkwrap false | |
| fi | |
| - name: Install npm module(s) ${{ matrix.npm-i }} | |
| run: npm install --save-dev ${{ matrix.npm-i }} | |
| if: matrix.npm-i != '' | |
| - name: Setup Node.js version-specific dependencies | |
| shell: bash | |
| run: | | |
| # eslint for linting | |
| # - remove on Node.js < 12 | |
| if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 12 ]]; then | |
| node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ | |
| grep -E '^eslint(-|$)' | \ | |
| sort -r | \ | |
| xargs -n1 npm rm --silent --save-dev | |
| fi | |
| - name: Install Node.js dependencies | |
| run: npm install | |
| - name: List environment | |
| id: list_env | |
| shell: bash | |
| run: | | |
| echo "node@$(node -v)" | |
| echo "npm@$(npm -v)" | |
| npm -s ls ||: | |
| (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print $2 "=" $3 }' >> "$GITHUB_OUTPUT" | |
| - name: Run tests | |
| shell: bash | |
| run: npm run test-ci | |
| - name: Lint code | |
| if: steps.list_env.outputs.eslint != '' | |
| run: npm run lint | |
| - name: Collect code coverage | |
| uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| flag-name: run-${{ matrix.test_number }} | |
| parallel: true | |
| coverage: | |
| permissions: | |
| checks: write # for coverallsapp/github-action to create new checks | |
| needs: test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Uploade code coverage | |
| uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master | |
| with: | |
| github-token: ${{ secrets.github_token }} | |
| parallel-finished: true |