dd-trace-js/.github/workflows/project.yml at ec772065a19050683f10734a051c89524ca89998 · DataDog/dd-trace-js · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
name: Project

on:
  pull_request:
  push:
    branches: [master, mq-working-branch-master-*]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: .github
      - uses: ./.github/actions/node/latest
      - name: actionlint
        id: actionlint
        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518 # v2.1.1
        with:
          matcher: true
          fail-on-error: true
          shellcheck: false # TODO should we enable this?
      - name: actionlint Summary
        if: ${{ steps.actionlint.outputs.exit-code != 0 }}
        run: |
          echo "Used actionlint version ${{ steps.actionlint.outputs.version-semver }}"
          echo "Used actionlint release ${{ steps.actionlint.outputs.version-tag }}"
          echo "actionlint ended with ${{ steps.actionlint.outputs.exit-code }} exit code"
          echo "actionlint ended because '${{ steps.actionlint.outputs.exit-message }}'"
          echo "actionlint found ${{ steps.actionlint.outputs.total-errors }} errors"
          echo "actionlint checked ${{ steps.actionlint.outputs.total-files }} files"
          echo "actionlint cache used: ${{ steps.actionlint.outputs.cache-hit }}"
          exit ${{ steps.actionlint.outputs.exit-code }}

  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/node/latest
      - uses: ./.github/actions/install
      - run: npm run lint && npm run lint:codeowners:ci

  verify-exercised-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/node/latest
      - uses: ./.github/actions/install
      - run: npm run verify-exercised-tests

  workflow-job-names:
    runs-on: ubuntu-latest
    name: Workflow job names (unique)
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            .github
            scripts/verify-workflow-job-names.js
      - uses: ./.github/actions/node/latest
      - run: npm install yaml
      - run: node scripts/verify-workflow-job-names.js

  # The package size is especially useful in constrained environments, so the
  # computation is done only on the package that would be installed there.
  # In order to do that, the current folder is wiped and replaced with what
  # would be installed is those environments before running the computation.
  package-size-report:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/node/latest
      - run: FILENAME=$(npm pack --pack-destination /tmp) && mv /tmp/$FILENAME /tmp/dd-trace.tgz
      - run: rm -rf *
      - run: tar -zxf /tmp/dd-trace.tgz -C $(pwd) --strip-components=1
      - run: yarn --prod --ignore-optional
      - run: ls -lisa
      - name: Compute module size tree and report
        uses: qard/heaviest-objects-in-the-universe@1e02edbdda803a45537a808ede97866db47756d3 # Unreleased
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

  static-analysis:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    if: github.actor != 'dependabot[bot]' && github.event_name != 'pull_request'
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check code meets quality and security standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@8340f18875fcefca86844b5f947ce2431387e552 # v3.0.0
        with:
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_site: datadoghq.com
          cpu_count: 2

  typescript:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/node/latest
      - uses: ./.github/actions/install
      - run: npm run type:doc:test
      - run: npm run type:doc:build

  # TODO: Remove need for `npm show` before re-enabling to avoid rate limit errors.
  # verify-yaml:
  #   runs-on: ubuntu-latest
  #   steps:
  #     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
  #     - uses: ./.github/actions/node/latest
  #     - uses: ./.github/actions/install
  #     - run: node scripts/verify-ci-config.js

  yarn-dedupe:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      has_changes: ${{ steps.diff.outputs.has_changes }}
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Node.js
        uses: ./.github/actions/node/latest

      - name: Install dependencies
        uses: ./.github/actions/install

      - name: Run yarn dependencies:dedupe
        run: yarn dependencies:dedupe

      - name: Prepare yarn.lock update (same-repo PRs only; restricted paths)
        id: diff
        run: |
          set -euo pipefail

          if git diff --quiet; then
            echo "has_changes=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          fail_message() { cat <<'EOF'
          ❌ The yarn.lock file needs deduplication!

          The yarn dedupe command has modified your yarn.lock file.
          This means there were duplicate dependencies that could be optimized.

          To fix this issue:
          1. Run 'yarn dependencies:dedupe' locally
          2. Commit the updated yarn.lock file
          3. Push your changes

          This helps keep the dependency tree clean.
          EOF
          }

          changes="$(git diff --name-only)"
          if [ "$changes" != "yarn.lock" ]; then
            echo "Unexpected changed paths during yarn dedupe:"
            echo "$changes"
            exit 1
          fi

          # Never push updates to fork PR branches, and don't auto-fix outside PRs.
          if [ "${{ github.event_name }}" != "pull_request" ]; then
            fail_message
            exit 1
          fi
          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
            fail_message
            exit 1
          fi

          cp yarn.lock "${RUNNER_TEMP}/yarn.lock"
          echo "has_changes=true" >> $GITHUB_OUTPUT

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: steps.diff.outputs.has_changes == 'true'
        with:
          name: yarn-lock
          path: ${{ runner.temp }}/yarn.lock
          if-no-files-found: error

  yarn-dedupe-push:
    # If this job pushes a commit, GitHub will re-trigger the workflow on `pull_request:synchronize`
    # with `github.actor == 'dd-octo-sts[bot]'`. Never attempt to mint another token / push again on
    # that follow-up run.
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && needs.yarn-dedupe.outputs.has_changes == 'true' && github.actor != 'dd-octo-sts[bot]'
    runs-on: ubuntu-latest
    needs: yarn-dedupe
    # Security: this job has an STS-minted token, but never runs installs/builds.
    # It only updates yarn.lock via the GitHub API.
    permissions:
      id-token: write
    steps:
      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
        id: octo-sts
        with:
          scope: DataDog/dd-trace-js
          policy: yarn-dedupe

      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
        with:
          name: yarn-lock
          path: ${{ runner.temp }}/yarn-lock-artifact

      - name: Update yarn.lock via GitHub API (server-created verified commit)
        env:
          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
          OWNER: ${{ github.repository_owner }}
          REPO: ${{ github.event.repository.name }}
          BRANCH: ${{ github.event.pull_request.head.ref }}
        run: |
          set -euo pipefail

          test -f "${{ runner.temp }}/yarn-lock-artifact/yarn.lock"
          sha="$(gh api -q '.sha' "repos/${OWNER}/${REPO}/contents/yarn.lock?ref=${BRANCH}")"
          base64 -w 0 "${{ runner.temp }}/yarn-lock-artifact/yarn.lock" > "${{ runner.temp }}/yarn-lock-b64.txt"

          jq -n \
            --arg message "chore: deduplicate yarn.lock" \
            --rawfile content "${{ runner.temp }}/yarn-lock-b64.txt" \
            --arg sha "$sha" \
            --arg branch "$BRANCH" \
            '{message: $message, content: $content, sha: $sha, branch: $branch}' \
          | gh api -X PUT "repos/${OWNER}/${REPO}/contents/yarn.lock" --input -