chore(deps): update github/codeql-action action to v4 #732
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI (Pull Request) | |
| on: | |
| pull_request: | |
| permissions: read-all | |
| jobs: | |
| main: | |
| permissions: | |
| pull-requests: write | |
| checks: write | |
| statuses: write | |
| security-events: write | |
| name: Build and test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci --legacy-peer-deps | |
| - name: Compute affected projects | |
| uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3 | |
| - name: Check TypeScript configuration | |
| run: npx nx sync:check | |
| - name: Lint | |
| run: npx nx affected --target=lint -f @microsoft/eslint-formatter-sarif -o eslint.sarif | |
| continue-on-error: true | |
| env: | |
| SARIF_ESLINT_IGNORE_SUPPRESSED: 'true' | |
| - name: Collect ESLint results | |
| run: | | |
| npx @microsoft/sarif-multitool merge eslint.sarif --recurse true --output-directory=./tmp --output-file=eslint-merged.sarif --merge-runs | |
| if grep -Fq '"runs": []' ./tmp/eslint-merged.sarif | |
| then | |
| echo '{"$schema":"http://json.schemastore.org/sarif-2.1.0.json","version": "2.1.0","runs":[{"tool":{"driver":{"name":"ESlint","rules":[],"version":"0.0.0"}},"results":[],"artifacts":[]}]}' > ./tmp/eslint-merged.sarif | |
| cat ./tmp/eslint-merged.sarif | |
| fi | |
| - name: Upload ESLint results | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| # Path to SARIF file relative to the root of the repository | |
| sarif_file: ./tmp/eslint-merged.sarif | |
| # Optional category for the results | |
| # Used to differentiate multiple results for one commit | |
| category: ESLint | |
| - name: Build | |
| run: npx nx affected -t build | |
| - name: Analyze API | |
| run: npx nx affected --target=api | |
| continue-on-error: true | |
| - name: Collect API results | |
| run: | | |
| npx @microsoft/sarif-multitool merge api-extractor.sarif --recurse true --output-directory=./tmp --output-file=api-merged.sarif --merge-runs | |
| if grep -Fq '"runs": []' ./tmp/api-merged.sarif | |
| then | |
| echo '{"$schema":"http://json.schemastore.org/sarif-2.1.0.json","version": "2.1.0","runs":[{"tool":{"driver":{"name":"API Extractor","rules":[],"version":"0.0.0"}},"results":[],"artifacts":[]}]}' > ./tmp/api-merged.sarif | |
| cat ./tmp/api-merged.sarif | |
| fi | |
| - name: Upload API results | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| # Path to SARIF file relative to the root of the repository | |
| sarif_file: ./tmp/api-merged.sarif | |
| # Optional category for the results | |
| # Used to differentiate multiple results for one commit | |
| category: API | |
| - name: Test | |
| run: npx nx affected -t test --coverage | |
| - name: Prepare changelog | |
| id: changelog | |
| run: | | |
| node scripts/analyze-changes.js --baseRef=${{ github.event.pull_request.base.sha }} --headRef=${{ github.event.pull_request.head.sha }} | |
| echo "CHANGELEVEL=semver:$(cat tmp/CHANGELEVEL)" >> $GITHUB_OUTPUT | |
| echo "MODULES=$(cat tmp/MODULES)" >> $GITHUB_OUTPUT | |
| - name: Prepare coverage report | |
| id: coverage | |
| run: | | |
| node scripts/analyze-coverage.js | |
| echo "COVERAGESTATUS=$(cat tmp/COVERAGESTATUS)" >> $GITHUB_OUTPUT | |
| - name: Create changelog comment | |
| uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 | |
| if: steps.coverage.outputs.COVERAGESTATUS == 0 | |
| with: | |
| path: tmp/CHANGESET.md | |
| recreate: true | |
| - name: Create coverage report comment | |
| uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 | |
| if: steps.coverage.outputs.COVERAGESTATUS == 1 | |
| with: | |
| path: tmp/COVERAGEREPORT.md | |
| recreate: true | |
| - name: Run the action | |
| uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14 | |
| if: steps.coverage.outputs.COVERAGESTATUS == 0 | |
| with: | |
| authToken: ${{secrets.GITHUB_TOKEN}} | |
| context: 'Test coverage results' | |
| description: 'Successful' | |
| state: 'success' | |
| sha: ${{github.event.pull_request.head.sha || github.sha}} | |
| - name: Run the action | |
| uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14 | |
| if: steps.coverage.outputs.COVERAGESTATUS == 1 | |
| with: | |
| authToken: ${{secrets.GITHUB_TOKEN}} | |
| context: 'Test coverage results' | |
| description: 'Some branches or functions are not covered with unit tests' | |
| state: 'failure' | |
| sha: ${{github.event.pull_request.head.sha || github.sha}} | |
| - name: Update PR | |
| if: steps.changelog.outputs.CHANGELEVEL != '' | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| env: | |
| CHANGELEVEL: ${{ steps.changelog.outputs.CHANGELEVEL }} | |
| MODULES: ${{ steps.changelog.outputs.MODULES }} | |
| with: | |
| script: | | |
| const { default: updatePr } = await import('${{ github.workspace }}/scripts/update-pr.js') | |
| await updatePr({ github, context }) |