Use multiple accounts in canary workflow (#1902) #5802
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: health_checks | |
on: | |
push: | |
branches: | |
- main | |
- hotfix | |
pull_request: | |
branches: | |
- main | |
- hotfix | |
- feature/** | |
schedule: | |
# Every day at At minute 0 past hour 0, 6, 12, and 18 UTC. | |
# This is to make sure that there is at least one workflow run every 24 hours | |
# taking into account that | |
# 1) scheduled runs may not fire at exact prescribed time; | |
# 2) transient failures may happen and auto recover; | |
- cron: '0 0,6,12,18 * * *' | |
workflow_dispatch: | |
jobs: | |
install: | |
strategy: | |
matrix: | |
# Windows install must happen on the same worker size as subsequent jobs. | |
# Larger workers use different drive (C: instead of D:) to check out project and NPM installation | |
# creates file system links that include drive letter. | |
# Changing between standard and custom workers requires full install cache invalidation | |
os: [ubuntu-latest, macos-14, windows-latest] | |
node: [18, 20] | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node }} | |
- uses: ./.github/actions/install_with_cache | |
with: | |
node-version: ${{ matrix.node }} | |
build: | |
strategy: | |
matrix: | |
node: [18, 20] | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node }} | |
- uses: ./.github/actions/build_with_cache | |
with: | |
node-version: ${{ matrix.node }} | |
test_with_coverage: | |
needs: | |
- build | |
strategy: | |
matrix: | |
os: [ubuntu-latest, macos-14, windows-latest] | |
node: [18, 20] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node }} | |
- uses: ./.github/actions/restore_build_cache | |
with: | |
node-version: ${{ matrix.node }} | |
- run: npm run set-script-shell | |
- run: npm run test:coverage:threshold | |
test_scripts: | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: | | |
npm run set-script-shell | |
npm run test:scripts | |
test_with_baseline_dependencies: | |
needs: | |
- install | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- name: Pin some dependencies to nearest patch and rebuild | |
run: | | |
npx tsx scripts/set_baseline_dependency_versions.ts | |
npm install | |
# print out diff for auditing or troubleshooting | |
git diff | |
npm run build | |
- name: Run unit and integration tests | |
run: | | |
npm run set-script-shell | |
npm run test | |
check_api_changes: | |
if: github.event_name == 'pull_request' | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Checkout pull request ref | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- name: Publish packages locally | |
timeout-minutes: 2 | |
run: | | |
npm run start:npm-proxy | |
# keep git diff with version increment to make sure test projects resolve right version | |
npm run publish:local -- --keepGitDiff | |
- name: Checkout base branch | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
with: | |
path: base-branch-content | |
ref: ${{ github.event.pull_request.base.sha }} | |
- name: Check API changes | |
run: | | |
mkdir api-validation-projects | |
npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects | |
do_include_e2e: | |
needs: | |
- install | |
runs-on: ubuntu-latest | |
permissions: | |
# This is required so that the step can read the labels on the pull request | |
pull-requests: read | |
env: | |
# The do_include_e2e script needs to query pull request labels | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
outputs: | |
run_e2e: ${{ steps.check.outputs.run_e2e }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- name: Check if E2E tests should run | |
id: check | |
run: echo "run_e2e=$(npx tsx scripts/do_include_e2e.ts)" >> "$GITHUB_OUTPUT" | |
- run: echo run_e2e set to ${{ steps.check.outputs.run_e2e }} | |
e2e_iam_access_drift: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
runs-on: ubuntu-latest | |
timeout-minutes: 25 | |
needs: | |
- do_include_e2e | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- name: Get baseline commit sha | |
id: get_baseline_commit_sha | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
if [[ ${{ github.event_name }} == 'push' ]]; then | |
# The SHA of the most recent commit on ref before the push. | |
baseline_commit_sha="${{ github.event.before }}" | |
elif [[ ${{ github.event_name }} == 'pull_request' ]]; then | |
# The SHA of the HEAD commit on base branch. | |
baseline_commit_sha="${{ github.event.pull_request.base.sha }}" | |
elif [[ ${{ github.event_name }} == 'schedule' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then | |
# The SHA of the parent of HEAD commit on main branch. | |
# This assumes linear history of main branch, i.e. one parent. | |
# These events have only information about HEAD commit, hence the need for lookup. | |
baseline_commit_sha=$(gh api /repos/${{ github.repository }}/commits/${{ github.sha }} | jq -r '.parents[0].sha') | |
else | |
echo Unable to determine baseline commit sha; | |
exit 1; | |
fi | |
echo baseline commit sha is $baseline_commit_sha; | |
echo "baseline_commit_sha=$baseline_commit_sha" >> "$GITHUB_OUTPUT"; | |
- name: Checkout baseline version | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
with: | |
ref: ${{ steps.get_baseline_commit_sha.outputs.baseline_commit_sha }} | |
- uses: ./.github/actions/setup_node | |
- name: Install and build baseline version | |
run: | | |
npm ci | |
npm run build | |
- name: Move baseline version | |
id: move_baseline_version | |
run: | | |
BASELINE_DIR=$(mktemp -d) | |
# Command below makes shell include .hidden files in file system commands (i.e. mv). | |
# This is to make sure that .git directory is moved with the repo content. | |
shopt -s dotglob | |
mv ./* $BASELINE_DIR | |
echo "baseline_dir=$BASELINE_DIR" >> "$GITHUB_OUTPUT"; | |
- name: Checkout current version | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- name: Select E2E test account | |
uses: ./.github/actions/select_e2e_account | |
id: selectE2EAccount | |
with: | |
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }} | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_test_tooling_role }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2 | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_execution_role }} | |
aws-region: us-west-2 | |
- name: Run e2e iam access drift test | |
run: npm run test:dir packages/integration-tests/lib/test-e2e/iam_access_drift.test.js | |
env: | |
BASELINE_DIR: ${{ steps.move_baseline_version.outputs.baseline_dir }} | |
e2e_deployment: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-14-xlarge, windows-latest] | |
node-version: [18, 20] | |
# skip multiple node version test on other os | |
exclude: | |
- os: macos-14-xlarge | |
node-version: 20 | |
- os: windows-latest | |
node-version: 20 | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }} | |
needs: | |
- do_include_e2e | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node-version }} | |
- uses: ./.github/actions/restore_build_cache | |
- run: cd packages/cli && npm link | |
- name: Select E2E test account | |
uses: ./.github/actions/select_e2e_account | |
id: selectE2EAccount | |
with: | |
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }} | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_test_tooling_role }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2 | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_execution_role }} | |
aws-region: us-west-2 | |
- name: Run e2e deployment tests | |
run: npm run test:dir packages/integration-tests/lib/test-e2e/deployment.test.js | |
e2e_sandbox: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-14-xlarge, windows-latest] | |
node-version: [18, 20] | |
# skip multiple node version test on other os | |
exclude: | |
- os: macos-14-xlarge | |
node-version: 20 | |
- os: windows-latest | |
node-version: 20 | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }} | |
needs: | |
- do_include_e2e | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node-version }} | |
- uses: ./.github/actions/restore_build_cache | |
- run: cd packages/cli && npm link | |
- name: Select E2E test account | |
uses: ./.github/actions/select_e2e_account | |
id: selectE2EAccount | |
with: | |
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }} | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_test_tooling_role }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2 | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_execution_role }} | |
aws-region: us-west-2 | |
- name: Run e2e sandbox tests | |
run: npm run test:dir packages/integration-tests/lib/test-e2e/sandbox.test.js | |
e2e_backend_output: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
runs-on: ubuntu-latest | |
timeout-minutes: 25 | |
needs: | |
- do_include_e2e | |
- build | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: cd packages/cli && npm link | |
- name: Select E2E test account | |
uses: ./.github/actions/select_e2e_account | |
id: selectE2EAccount | |
with: | |
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }} | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_test_tooling_role }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2 | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_execution_role }} | |
aws-region: us-west-2 | |
- name: Run e2e backend output tests | |
run: npm run test:dir packages/integration-tests/lib/test-e2e/backend_output.test.js | |
e2e_create_amplify: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-14, windows-latest] | |
node-version: [18, 20] | |
# skip multiple node version test on other os | |
exclude: | |
- os: macos-14 | |
node-version: 20 | |
- os: windows-latest | |
node-version: 20 | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }} | |
needs: | |
- do_include_e2e | |
- build | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node-version }} | |
- uses: ./.github/actions/restore_build_cache | |
- run: cd packages/cli && npm link | |
- name: Run e2e create-amplify tests | |
run: npm run test:dir packages/integration-tests/lib/test-e2e/create_amplify.test.js | |
e2e_package_manager: | |
if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
strategy: | |
# will finish running other test matrices even if one fails | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-14, windows-latest] | |
pkg-manager: [npm, yarn-classic, yarn-modern, pnpm] | |
node-version: ['20'] | |
env: | |
PACKAGE_MANAGER: ${{ matrix.pkg-manager }} | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 25 | |
needs: | |
- build | |
- do_include_e2e | |
permissions: | |
# these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
id-token: write | |
contents: read | |
steps: | |
- name: Checkout aws-amplify/amplify-cli repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Node.js | |
uses: ./.github/actions/setup_node | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Restore Build Cache | |
uses: ./.github/actions/restore_build_cache | |
- name: Select E2E test account | |
uses: ./.github/actions/select_e2e_account | |
id: selectE2EAccount | |
with: | |
e2e_test_accounts: ${{ vars.E2E_TEST_ACCOUNTS }} | |
- name: Configure test tooling credentials | |
uses: ./.github/actions/setup_profile | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_test_tooling_role }} | |
aws-region: us-west-2 | |
profile-name: e2e-tooling | |
- name: Configure test execution credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # version 4.0.2 | |
with: | |
role-to-assume: ${{ steps.selectE2EAccount.outputs.e2e_execution_role }} | |
aws-region: us-west-2 | |
- name: Run E2E flow tests with ${{ matrix.pkg-manager }} | |
shell: bash | |
run: | | |
PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts | |
lint: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run lint | |
check_dependencies: | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npm run check:dependencies | |
check_tsconfig_refs: | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npm run check:tsconfig-refs | |
check_api_extract: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run check:api | |
docs_build_and_publish: | |
runs-on: ubuntu-latest | |
needs: | |
- build | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- run: npm run docs | |
- if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} | |
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # version 4.0.0 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_dir: ./docs | |
publish_branch: docs | |
check_pr_size: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: git fetch origin | |
- run: npm run diff:check ${{ github.event.pull_request.base.sha }} | |
check_pr_changesets: | |
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
with: | |
# fetch full history so that changeset can properly compute divergence point | |
fetch-depth: 0 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- name: Validate that PR has changeset | |
run: npx changeset status --since origin/${{ github.event.pull_request.base.ref }} | |
- name: Validate changeset is not missing packages | |
run: npx tsx scripts/check_changeset_completeness.ts ${{ github.event.pull_request.base.sha }} | |
- name: Validate that changeset has necessary dependency updates | |
run: | | |
npx changeset version | |
npm update | |
npm run check:dependencies | |
check_package_versions: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
needs: | |
- install | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- run: npx changeset version | |
- run: npm run check:package-versions | |
update_package_versions: | |
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }} | |
needs: | |
- install | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_install_cache | |
- id: is_version_packages_commit | |
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT" | |
- name: Create or update Version Packages PR | |
# if this push is NOT merging a version packages PR, then we update/create the version packages PR | |
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'false' }} | |
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7 | |
with: | |
createGithubReleases: false | |
# this should never be called, but if something happens and it does get called, this ensures that a premature publish won't happen | |
publish: echo Cannot publish during update version step | |
env: | |
# we are also omitting the NPM_TOKEN here to eliminate the possibility of publishing to NPM during this step | |
# we still need the GITHUB_TOKEN so that the version packages PR can be updated | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
publish_package_versions: | |
if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }} | |
needs: | |
- test_with_coverage | |
- e2e_package_manager | |
- e2e_deployment | |
- e2e_sandbox | |
- e2e_create_amplify | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- uses: ./.github/actions/setup_node | |
- uses: ./.github/actions/restore_build_cache | |
- id: is_version_packages_commit | |
run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT" | |
- name: Publish packages | |
# if this push is merging a version packages PR, then we publish the new versions | |
if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'true' }} | |
id: changeset_publish | |
uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 # version 1.4.7 | |
with: | |
publish: npm run publish | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
- name: Update hotfix branch | |
if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }} | |
run: git push origin main:hotfix --force | |
codeql: | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
with: | |
# Minimal depth 2 so we can checkout the commit before possible merge commit. | |
fetch-depth: 2 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2 | |
with: | |
languages: javascript | |
queries: +security-and-quality | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@8fcfedf57053e09257688fce7a0beeb18b1b9ae3 # version 2.17.2 | |
with: | |
category: /language:javascript | |
dependency-review: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4 | |
- name: Dependency Review | |
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # version 4.3.2 | |
with: | |
config-file: ./.github/dependency_review_config.yml |