run dependency review only on pull requests #4620
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: health_checks | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - hotfix | |
| pull_request: | |
| branches: | |
| - main | |
| - hotfix | |
| - feature/** | |
| workflow_dispatch: | |
| jobs: | |
| install: | |
| strategy: | |
| matrix: | |
| # Windows install must happen on the same worker size as subsequent jobs. | |
| # Larger workers use different drive (C: instead of D:) to check out project and NPM installation | |
| # creates file system links that include drive letter. | |
| # Changing between standard and custom workers requires full install cache invalidation | |
| os: [ubuntu-latest, macos-14, windows-latest] | |
| node: [18, 20] | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - uses: ./.github/actions/install_with_cache | |
| with: | |
| node-version: ${{ matrix.node }} | |
| build: | |
| strategy: | |
| matrix: | |
| node: [18, 20] | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - uses: ./.github/actions/build_with_cache | |
| with: | |
| node-version: ${{ matrix.node }} | |
| test_with_coverage: | |
| needs: | |
| - build | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-14, windows-latest] | |
| node: [18, 20] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - uses: ./.github/actions/restore_build_cache | |
| with: | |
| node-version: ${{ matrix.node }} | |
| - run: npm run set-script-shell | |
| - run: npm run test:coverage:threshold | |
| test_scripts: | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: | | |
| npm run set-script-shell | |
| npm run test:scripts | |
| test_with_baseline_dependencies: | |
| needs: | |
| - install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - name: Pin some dependencies to nearest patch and rebuild | |
| run: | | |
| npx tsx scripts/set_baseline_dependency_versions.ts | |
| npm install | |
| # print out diff for auditing or troubleshooting | |
| git diff | |
| npm run build | |
| - name: Run unit and integration tests | |
| run: | | |
| npm run set-script-shell | |
| npm run test | |
| check_api_changes: | |
| if: github.event_name == 'pull_request' | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout pull request ref | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - name: Publish packages locally | |
| timeout-minutes: 2 | |
| run: | | |
| npm run start:npm-proxy | |
| # keep git diff with version increment to make sure test projects resolve right version | |
| npm run publish:local -- --keepGitDiff | |
| - name: Checkout base branch | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| with: | |
| path: base-branch-content | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| - name: Check API changes | |
| run: | | |
| mkdir api-validation-projects | |
| npx tsx scripts/check_api_changes.ts base-branch-content api-validation-projects | |
| do_include_e2e: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This is required so that the step can read the labels on the pull request | |
| pull-requests: read | |
| env: | |
| # The gh cli expects the token at this environment variable | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| outputs: | |
| run_e2e: ${{ steps.check.outputs.run_e2e }} | |
| steps: | |
| # if this workflow is running on a push (ie merge to main), then e2e tests always run | |
| # if this workflow is triggered manually, then e2e tests always run | |
| # if the workflow is running on a pull request, we perform an additional check for the run-e2e label | |
| # this is not a security measure (that is already handled by the pull_request event behavior) but rather a way for PR authors to easily check e2e test results if they wish | |
| # the reason it doesn't run all the time is because it will always fail for external contributor PRs (they don't have access to repo secrets) and we don't want to waste resources running e2e on every PR commit | |
| - name: Check event is push to main or pull request has run-e2e label | |
| id: check | |
| run: | | |
| if [[ ${{ github.event_name }} == 'push' ]] || [[ ${{ github.event_name }} == 'workflow_dispatch' ]] || gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} | jq -r '.labels[].name' | grep run-e2e --quiet; then | |
| echo setting run_e2e to true; | |
| echo "run_e2e=true" >> "$GITHUB_OUTPUT"; | |
| else | |
| echo setting run_e2e to false; | |
| echo "run_e2e=false" >> "$GITHUB_OUTPUT"; | |
| fi | |
| e2e_deployment: | |
| if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
| strategy: | |
| # will finish running other test matrices even if one fails | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-14-xlarge, windows-latest] | |
| node-version: [18, 20] | |
| # skip multiple node version test on other os | |
| exclude: | |
| - os: macos-14-xlarge | |
| node-version: 20 | |
| - os: windows-latest | |
| node-version: 20 | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 25 | |
| needs: | |
| - do_include_e2e | |
| - build | |
| permissions: | |
| # these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: cd packages/cli && npm link | |
| - name: Configure test tooling credentials | |
| uses: ./.github/actions/setup_profile | |
| with: | |
| role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }} | |
| aws-region: us-west-2 | |
| profile-name: e2e-tooling | |
| - name: Configure test execution credentials | |
| uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1 | |
| with: | |
| role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }} | |
| aws-region: us-west-2 | |
| - name: Run e2e deployment tests | |
| run: npm run test:dir packages/integration-tests/lib/test-e2e/deployment.test.js | |
| e2e_create_amplify: | |
| if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
| strategy: | |
| # will finish running other test matrices even if one fails | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-14, windows-latest] | |
| node-version: [18, 20] | |
| # skip multiple node version test on other os | |
| exclude: | |
| - os: macos-14 | |
| node-version: 20 | |
| - os: windows-latest | |
| node-version: 20 | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: ${{ matrix.os == 'windows-latest' && 35 || 25 }} | |
| needs: | |
| - do_include_e2e | |
| - build | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: cd packages/cli && npm link | |
| - name: Run e2e create-amplify tests | |
| run: npm run test:dir packages/integration-tests/lib/test-e2e/create_amplify.test.js | |
| e2e_package_manager: | |
| if: needs.do_include_e2e.outputs.run_e2e == 'true' | |
| strategy: | |
| # will finish running other test matrices even if one fails | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-14, windows-latest] | |
| pkg-manager: [npm, yarn-classic, yarn-modern, pnpm] | |
| node-version: ['20'] | |
| env: | |
| PACKAGE_MANAGER: ${{ matrix.pkg-manager }} | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 25 | |
| needs: | |
| - build | |
| - do_include_e2e | |
| permissions: | |
| # these permissions are required for the configure-aws-credentials action to get a JWT from GitHub | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout aws-amplify/amplify-cli repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Node.js | |
| uses: ./.github/actions/setup_node | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Restore Build Cache | |
| uses: ./.github/actions/restore_build_cache | |
| - name: Configure test tooling credentials | |
| uses: ./.github/actions/setup_profile | |
| with: | |
| role-to-assume: ${{ secrets.E2E_TOOLING_ROLE_ARN }} | |
| aws-region: us-west-2 | |
| profile-name: e2e-tooling | |
| - name: Configure test execution credentials | |
| uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # version 3.0.1 | |
| with: | |
| role-to-assume: ${{ secrets.E2E_RUNNER_ROLE_ARN }} | |
| aws-region: us-west-2 | |
| - name: Run E2E flow tests with ${{ matrix.pkg-manager }} | |
| shell: bash | |
| run: | | |
| PACKAGE_MANAGER=${{matrix.pkg-manager}} npm run test:dir packages/integration-tests/src/package_manager_sanity_checks.test.ts | |
| lint: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: npm run lint | |
| check_dependencies: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - run: npm run check:dependencies | |
| check_tsconfig_refs: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - run: npm run check:tsconfig-refs | |
| check_api_extract: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: npm run check:api | |
| docs_build_and_publish: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - run: npm run docs | |
| - if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} | |
| uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # version 3.9.3 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs | |
| publish_branch: docs | |
| check_pr_size: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - run: git fetch origin | |
| - run: npm run diff:check ${{ github.event.pull_request.base.sha }} | |
| check_pr_has_changeset: | |
| if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'github-actions[bot]' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| with: | |
| # fetch full history so that changeset can properly compute divergence point | |
| fetch-depth: 0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - name: Validate that PR has change set | |
| run: | | |
| npx changeset status --since origin/${{ github.event.pull_request.base.ref }} | |
| - name: Validate that change set has necessary dependency updates | |
| run: | | |
| npx changeset version | |
| npm update | |
| npm run check:dependencies | |
| check_package_versions: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - install | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - run: npx changeset version | |
| - run: npm run check:package-versions | |
| update_package_versions: | |
| if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }} | |
| needs: | |
| - install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_install_cache | |
| - id: is_version_packages_commit | |
| run: npx tsx scripts/is_version_packages_commit.ts "$GITHUB_EVENT_PATH" >> "$GITHUB_OUTPUT" | |
| - name: Create or update Version Packages PR | |
| # if this push is NOT merging a version packages PR, then we update/create the version packages PR | |
| if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'false' }} | |
| uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # version 1.4.5 | |
| with: | |
| createGithubReleases: false | |
| # this should never be called, but if something happens and it does get called, this ensures that a premature publish won't happen | |
| publish: echo Cannot publish during update version step | |
| env: | |
| # we are also omitting the NPM_TOKEN here to eliminate the possibility of publishing to NPM during this step | |
| # we still need the GITHUB_TOKEN so that the version packages PR can be updated | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| publish_package_versions: | |
| if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'hotfix') }} | |
| needs: | |
| - test_with_coverage | |
| - e2e_package_manager | |
| - e2e_deployment | |
| - e2e_create_amplify | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - uses: ./.github/actions/setup_node | |
| - uses: ./.github/actions/restore_build_cache | |
| - id: is_version_packages_commit | |
| run: npx tsx scripts/is_version_packages_commit.ts "$GITHUB_EVENT_PATH" >> "$GITHUB_OUTPUT" | |
| - name: Publish packages | |
| # if this push is merging a version packages PR, then we publish the new versions | |
| if: ${{ steps.is_version_packages_commit.outputs.is_version_packages_commit == 'true' }} | |
| id: changeset_publish | |
| uses: changesets/action@f13b1baaa620fde937751f5d2c3572b9da32af23 # version 1.4.5 | |
| with: | |
| publish: npm run publish | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| - name: Update hotfix branch | |
| if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }} | |
| run: git push origin main:hotfix --force | |
| codeql: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| with: | |
| # Minimal depth 2 so we can checkout the commit before possible merge commit. | |
| fetch-depth: 2 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3 | |
| with: | |
| languages: javascript | |
| queries: +security-and-quality | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@e4262713b504983e61c7728f5452be240d9385a7 # version 2.14.3 | |
| with: | |
| category: /language:javascript | |
| dependency-review: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # version 4.3.2 | |
| with: | |
| config-file: ./.github/dependency_review_config.yml |