Implement repository security checklist #519
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: ['**'] | |
| # Set minimal permissions by default | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ !contains(github.ref, 'main')}} | |
| jobs: | |
| install-cache-deps: | |
| runs-on: ubuntu-latest | |
| name: Install and Cache deps | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup | |
| uses: ./.github/actions/setup-deps | |
| lint: | |
| needs: [install-cache-deps] | |
| runs-on: ubuntu-latest | |
| name: Lint | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node.js and deps | |
| uses: ./.github/actions/setup-deps | |
| - name: Lint | |
| run: yarn lint | |
| typecheck: | |
| needs: [install-cache-deps] | |
| runs-on: ubuntu-latest | |
| name: Typecheck | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node.js and deps | |
| uses: ./.github/actions/setup-deps | |
| - name: Typecheck | |
| run: yarn typecheck | |
| test: | |
| needs: [install-cache-deps] | |
| runs-on: ubuntu-latest | |
| name: Test | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node.js and deps | |
| uses: ./.github/actions/setup-deps | |
| - name: Test | |
| run: yarn test:ci:coverage | |
| - name: Upload coverage reports | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: coverage-reports | |
| path: coverage/ | |
| retention-days: 1 | |
| # Separate job for codecov upload that only runs on trusted events | |
| upload-coverage: | |
| needs: [test] | |
| runs-on: ubuntu-latest | |
| name: Upload Coverage | |
| # Only run on push to main (trusted event) to avoid exposing secrets to forks | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Download coverage reports | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: coverage-reports | |
| path: coverage/ | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| test-react-18: | |
| needs: [install-cache-deps] | |
| runs-on: ubuntu-latest | |
| name: Test React 18 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Node.js and deps | |
| uses: ./.github/actions/setup-deps | |
| - name: Switch to React 18 | |
| run: | | |
| yarn remove react react-test-renderer react-native @react-native/babel-preset | |
| yarn add -D [email protected] [email protected] [email protected] @react-native/[email protected] | |
| - name: Test | |
| run: yarn test:ci |