refactor: Node20, multi-OS/Arch, caching, tests, and Workflows

slsa-framework · Sep 17, 2024 · cc5b65d · cc5b65d
1 parent 767ecf9
commit cc5b65d
Show file tree

Hide file tree

Showing 29 changed files with 9,219 additions and 5,687 deletions.
diff --git a/.github/workflows/e2e.schedule.installer.yml b/.github/workflows/e2e.schedule.installer.yml
diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml
@@ -1,98 +1,138 @@
 # A workflow to run against renovate-bot's PRs,
-# such as `make package` after it updates the package.json and package-lock.json files.
+# such as `npm run bundle` after it updates the package.json and
+# package-lock.json files.
 
-# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact.
-# Then a higher-privilege Job applies the diff and pushes the changes to the PR.
-# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes!
+# The potentially untrusted code is first run inside a low-privilege Job, and
+# the diff is uploaded as an artifact. Then a higher-privilege Job applies the
+# diff and pushes the changes to the PR. It's important to only run this
+# workflow against PRs from trusted sources, after also reviewing the changes!
 
-# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/
-# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch,
-# due to our branch protection rules and CODEOWNERS.
-# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules.
+# There have been vulnerabilities with using `git apply`
+# https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/
+#
+# At this point a compromised git binary cannot modify any of this repo's
+# branches, only the PR fork's branch, due to our branch protection rules and
+# CODEOWNERS. It aslso cannot submit a new release or modify exsiting releases
+# due to tag protection rules.
 
-name: Update actions dist post-commit
-
-permissions: {}
+name: Update Actions dist/ post-commit
+run-name: "Updating dist/ for PR #${{ inputs.pr_number }}"
 
 on:
-    workflow_dispatch:
-        inputs:
-            pr_number:
-                description: "The pull request number."
-                required: true
-                type: number
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        type: number
+        description: Pull Request number
+        required: true
+
+# Grant no permissions by default
+permissions: {}
 
 jobs:
-    diff:
-        permissions:
-            # This Job executes the PR's untrusted code, so it must how low permissions.
-            pull-requests: read
-        outputs:
-            patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }}
-        runs-on: ubuntu-latest
-        steps:
-            - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-              with:
-                  repository: ${{ github.repository }}
-                  persist-credentials: false
-            - name: checkout-pr
-              env:
-                  GH_TOKEN: ${{ github.token }}
-                  PR_NUMBER: ${{ inputs.pr_number }}
-              run: gh pr checkout "$PR_NUMBER"
-            - name: run-command
-              run: |
-                (
-                    cd ./actions/installer/dist/../ && \
-                    make clean && \
-                    make package
-                )
-            - name: diff
-              id: diff
-              run: |
-                  git add .
-                  git status
-                  git diff HEAD > changes.patch
-                  [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
-                  echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
-            - name: upload
-              uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
-              with:
-                  name: changes.patch
-                  path: changes.patch
-
-    push:
-        if: needs.diff.outputs.patch_not_empty == 'true'
-        needs: diff
-        runs-on: ubuntu-latest
-        permissions:
-            # This Job does not run untrusted code, but it does need to push changes to the PR's branch.
-            pull-requests: read
-            contents: write
-        steps:
-            - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-            - name: checkout-pr
-              env:
-                  GH_TOKEN: ${{ github.token }}
-                  PR_NUMBER: ${{ inputs.pr_number }}
-              run: gh pr checkout "$PR_NUMBER"
-            - name: download-patch
-              uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
-              with:
-                  name: changes.patch
-            - id: apply
-              run: |
-                  git apply changes.patch
-                  rm changes.patch
-            # example from
-            # https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token
-            - name: push
-              run: |
-                  git config user.name github-actions
-                  git config user.email github-actions@github.com
-                  git add .
-                  git status
-                  git commit -s -m "update actions dist"
-                  git push
+  check:
+    name: Check action changes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: actions/installer
+    outputs:
+      has-change: ${{ steps.compare.outputs.diff }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            actions/installer/
+
+      - name: Checkout PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ inputs.pr_number }}
+        run: gh pr checkout "$PR_NUMBER"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version-file: actions/installer/.node-version
+          cache: npm
+
+      - name: Install Dependencies
+        run: npm ci
+
+      - name: Check Format
+        run: npm run format:check
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Test
+        run: npm run ci-test
+
+      - name: Build dist/ Directory
+        run: npm run package
+
+      - name: Compare Directories
+        id: compare
+        shell: bash
+        run: |
+          if [ ! -d dist/ ]; then
+            echo "::error::Expected dist/ directory does not exist"
+            exit 1
+          fi
+
+          [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -eq 0 ] && DIFF=false || DIFF=true
+          echo "diff=$DIFF" | tee -a "$GITHUB_OUTPUT"
+          if [ "$DIFF" == "true" ]; then
+            echo "::warning::Detected uncommitted changes after build"
+          fi
+
+      - name: Upload dist/
+        if: (!cancelled()) && steps.compare.outputs.diff == 'true'
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: dist
+          path: actions/installer/dist
+
+  push:
+    name: Apply & Push changes
+    if: needs.check.outputs.has-change == 'true'
+    needs: [check]
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      contents: write
+    defaults:
+      run:
+        working-directory: actions/installer
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          sparse-checkout: |
+            actions/installer/
+
+      - name: Checkout PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ inputs.pr_number }}
+        run: gh pr checkout "$PR_NUMBER"
+
+      - name: Download diff
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: dist
+          path: actions/installer/dist
+
+      - name: Push changes back into PR
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git add .
+          git status
+          git commit -s -m "chore: Updating installer action dist/"
+          git push
diff --git a/actions/installer/.eslintignore b/actions/installer/.eslintignore
@@ -1,3 +1,4 @@
-dist/
 lib/
+dist/
 node_modules/
+coverage/
diff --git a/actions/installer/.eslintrc.json b/actions/installer/.eslintrc.json
diff --git a/actions/installer/.eslintrc.yml b/actions/installer/.eslintrc.yml
@@ -0,0 +1,80 @@
+env:
+  node: true
+  es6: true
+  jest: true
+
+globals:
+  Atomics: readonly
+  SharedArrayBuffer: readonly
+
+ignorePatterns:
+  - '!.*'
+  - '**/node_modules/.*'
+  - '**/dist/.*'
+  - '**/coverage/.*'
+  - '*.json'
+
+parser: '@typescript-eslint/parser'
+
+parserOptions:
+  ecmaVersion: 2023
+  sourceType: module
+  project:
+    - './.tsconfig.json'
+    - './tsconfig.json'
+
+plugins:
+  - jest
+  - '@typescript-eslint'
+
+extends:
+  - eslint:recommended
+  - plugin:@typescript-eslint/eslint-recommended
+  - plugin:@typescript-eslint/recommended
+  - plugin:github/recommended
+  - plugin:jest/recommended
+
+rules:
+  {
+    'camelcase': 'off',
+    'eslint-comments/no-use': 'off',
+    'eslint-comments/no-unused-disable': 'off',
+    'i18n-text/no-en': 'off',
+    'import/no-namespace': 'off',
+    'no-console': 'off',
+    'no-unused-vars': 'off',
+    'prettier/prettier': 'error',
+    'semi': 'off',
+    '@typescript-eslint/array-type': 'error',
+    '@typescript-eslint/await-thenable': 'error',
+    '@typescript-eslint/ban-ts-comment': 'error',
+    '@typescript-eslint/consistent-type-assertions': 'error',
+    '@typescript-eslint/explicit-member-accessibility':
+      ['error', { 'accessibility': 'no-public' }],
+    '@typescript-eslint/explicit-function-return-type':
+      ['error', { 'allowExpressions': true }],
+    '@typescript-eslint/no-array-constructor': 'error',
+    '@typescript-eslint/no-empty-interface': 'error',
+    '@typescript-eslint/no-explicit-any': 'error',
+    '@typescript-eslint/no-extraneous-class': 'error',
+    '@typescript-eslint/no-for-in-array': 'error',
+    '@typescript-eslint/no-inferrable-types': 'error',
+    '@typescript-eslint/no-misused-new': 'error',
+    '@typescript-eslint/no-namespace': 'error',
+    '@typescript-eslint/no-non-null-assertion': 'warn',
+    '@typescript-eslint/no-require-imports': 'error',
+    '@typescript-eslint/no-unnecessary-qualifier': 'error',
+    '@typescript-eslint/no-unnecessary-type-assertion': 'error',
+    '@typescript-eslint/no-unused-vars': 'error',
+    '@typescript-eslint/no-useless-constructor': 'error',
+    '@typescript-eslint/no-var-requires': 'error',
+    '@typescript-eslint/prefer-for-of': 'warn',
+    '@typescript-eslint/prefer-function-type': 'warn',
+    '@typescript-eslint/prefer-includes': 'error',
+    '@typescript-eslint/prefer-string-starts-ends-with': 'error',
+    '@typescript-eslint/promise-function-async': 'error',
+    '@typescript-eslint/require-array-sort-compare': 'error',
+    '@typescript-eslint/restrict-plus-operands': 'error',
+    '@typescript-eslint/space-before-function-paren': 'off',
+    '@typescript-eslint/unbound-method': 'error'
+  }
diff --git a/actions/installer/.gitattributes b/actions/installer/.gitattributes
@@ -0,0 +1,3 @@
+* text=auto eol=lf
+
+dist/** -diff linguist-generated=true