From 0040a5b0a9f6d55b7ec1631fa92ab2efcc8d0964 Mon Sep 17 00:00:00 2001 From: Joshua Fernandes Date: Tue, 16 Jul 2024 09:17:17 +1000 Subject: [PATCH] standardised workflows (#1400) * standardised workflows * package-lock.json updates for build errors --- .../workflows/{build-lint.yml => build.yml} | 25 +++-------- .github/workflows/case.yml | 34 +++++++++++++++ .github/workflows/dependabot.yml | 11 +++++ .github/workflows/dependency_review.yml | 24 +++++++++++ .github/workflows/lint.yml | 42 +++++++++++++++++++ .github/workflows/main.yml | 27 +++++++++--- .github/workflows/security-code-scanner.yml | 35 ++++------------ .github/workflows/trivy.yml | 18 ++++++++ 8 files changed, 166 insertions(+), 50 deletions(-) rename .github/workflows/{build-lint.yml => build.yml} (55%) create mode 100644 .github/workflows/case.yml create mode 100644 .github/workflows/dependabot.yml create mode 100644 .github/workflows/dependency_review.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/build-lint.yml b/.github/workflows/build.yml similarity index 55% rename from .github/workflows/build-lint.yml rename to .github/workflows/build.yml index 7a697835388..173104aeb36 100644 --- a/.github/workflows/build-lint.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,5 @@ -name: Build and lint +--- +name: Build on: workflow_call: @@ -12,31 +13,17 @@ env: SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }} LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + jobs: build: name: Build runs-on: ubuntu-latest - needs: - - prepare + permissions: + contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build uses: ConsenSys/docs-gha/build@main with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - lint: - name: Lint - runs-on: ubuntu-latest - needs: - - prepare - steps: - - uses: actions/checkout@v3 - - - name: Lint - uses: ConsenSys/docs-gha/lint@main - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - \ No newline at end of file diff --git a/.github/workflows/case.yml b/.github/workflows/case.yml new file mode 100644 index 00000000000..b02e08c7c30 --- /dev/null +++ b/.github/workflows/case.yml @@ -0,0 +1,34 @@ +--- +name: Check file name case + +on: + workflow_call: + secrets: + SEGMENT_ANALYTICS_KEY: + required: true + LD_CLIENT_ID: + required: true + +env: + SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }} + LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + + +jobs: + case: + name: Check for case being inconsistent + runs-on: ubuntu-latest + strategy: + matrix: + folder: ["docs"] + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Case check action + uses: ConsenSys/docs-gha/case@main + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOC_DIR: ${{ matrix.folder }} + SKIP_TEST: true diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 00000000000..f43eea3b1d1 --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,11 @@ +name: 'Dependency Review' + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "sunday" + assignees: + - "protocol-galileo" \ No newline at end of file diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml new file mode 100644 index 00000000000..5104c94c04e --- /dev/null +++ b/.github/workflows/dependency_review.yml @@ -0,0 +1,24 @@ +--- +name: Check file name case + +on: + pull_request: + branches: + - main + +jobs: + case: + name: Check for licences not being allowed + runs-on: ubuntu-latest + strategy: + matrix: + folder: ["docs"] + permissions: + contents: read + steps: + - uses: actions/checkout@v3 + + - name: Dependency review + uses: ConsenSys/docs-gha/dependency-review@main + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000000..5296fba729c --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,42 @@ +--- +name: Check for lint, spelling and link errors + +on: + workflow_call: + secrets: + SEGMENT_ANALYTICS_KEY: + required: true + LD_CLIENT_ID: + required: true + +env: + SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }} + LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + + +jobs: + lint: + name: Lint Code Base, Spelling, Link Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Lint + uses: ConsenSys/docs-gha/lint@main + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + linkCheck: + name: Link Checking + runs-on: ubuntu-latest + strategy: + matrix: + file-extensions: [".md", ".mdx"] + steps: + - uses: actions/checkout@v4 + - name: LinkCheck + uses: ConsenSys/docs-gha/linkcheck@main + with: + FILE_EXTENSION: ${{ matrix.file-extensions }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a1299207ac6..8922e758ba3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,7 +10,7 @@ jobs: name: Check workflows runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.22 @@ -19,19 +19,36 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash - build-lint: - name: Build and lint - uses: ./.github/workflows/build-lint.yml + build: + name: Build + uses: ./.github/workflows/build.yml secrets: SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }} LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + lint: + name: Lint + uses: ./.github/workflows/lint.yml + secrets: + SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }} + LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + + case: + name: Case + uses: ./.github/workflows/case.yml + secrets: + SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }} + LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }} + + all-jobs-completed: name: All jobs completed runs-on: ubuntu-latest needs: - check-workflows - - build-lint + - build + - lint + - case outputs: PASSED: ${{ steps.set-output.outputs.PASSED }} steps: diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index ced04497b9e..e414d69bbba 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -2,9 +2,11 @@ name: 'MetaMask Security Code Scanner' on: push: - branches: ['main'] + branches: + - 'main' pull_request: - branches: ['main'] + branches: + - 'main' jobs: run-security-scan: @@ -14,30 +16,11 @@ jobs: contents: read security-events: write steps: + - uses: actions/checkout@v4 - name: MetaMask Security Code Scanner - uses: MetaMask/Security-Code-Scanner@main + uses: ConsenSys/docs-gha/mm-security-scanner@main with: repo: ${{ github.repository }} - paths_ignored: | - .storybook/ - '**/__snapshots__/' - '**/*.snap' - '**/*.stories.js' - '**/*.stories.tsx' - '**/*.test.browser.ts*' - '**/*.test.js*' - '**/*.test.ts*' - '**/fixtures/' - '**/jest.config.js' - '**/jest.environment.js' - '**/mocks/' - '**/test*/' - docs/ - e2e/ - merged-packages/ - node_modules - storybook/ - test*/ - rules_excluded: example - project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} - slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000..0258e1b81e7 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,18 @@ +--- +name: Trivy + +on: + pull_request: + branches: + - main + +jobs: + trivy: + name: Run trivy scanner + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Trivy + uses: ConsenSys/docs-gha/trivy@main + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file