chore(deps): update patch dependencies #24385
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: [main, development, staging] | |
| paths-ignore: | |
| - ".github/**" # We don't want to trigger when we update the workflows. | |
| - "docs/**" # We don't want to trigger when we update the docs. | |
| - "*.md" | |
| - "terraform/**" | |
| jobs: | |
| secret-scanning: | |
| name: Trufflehog Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| id: trufflehog | |
| uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2 | |
| env: | |
| GITHUB_HEAD_REF_SAFE: ${{ github.head_ref }} | |
| continue-on-error: true | |
| with: | |
| path: ./ | |
| base: "${{ github.event.repository.default_branch }}" | |
| head: "$GITHUB_HEAD_REF_SAFE" | |
| extra_args: --debug --only-verified | |
| # - name: Setup Trufflehog [Docker] | |
| # env: | |
| # GITHUB_HEAD_REF_SAFE: ${{ github.head_ref }} | |
| # run: docker run --rm -v "$PWD:/pwd" trufflesecurity/trufflehog:3.67.1 git file://. --since-commit main --branch "$GITHUB_HEAD_REF_SAFE" --only-verified --fail | |
| unit-tests: | |
| name: Unit Tests | |
| secrets: inherit # https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow | |
| uses: ./.github/workflows/unit_test_reusable.yml | |
| e2e-tests: | |
| name: End-to-End Tests | |
| secrets: inherit # https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow | |
| uses: ./.github/workflows/e2e_test_reusable.yml | |
| a11y-regression: | |
| name: A11y Regression Gate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: ./.github/actions/setup-javascript | |
| - name: Cache Cypress binary | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: ~/.cache/Cypress | |
| key: cypress-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('frontend/bun.lock') }} | |
| - name: Install Cypress binary | |
| working-directory: ./frontend | |
| run: | | |
| bunx cypress install | |
| bunx cypress verify | |
| - name: Launch Stack | |
| uses: ./.github/actions/run-full-stack | |
| env: | |
| JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} | |
| JWT_PUBLIC_KEY: ${{ secrets.JWT_PUBLIC_KEY }} | |
| - name: Validate a11y suppression metadata | |
| working-directory: ./frontend | |
| run: bun run a11y:validate-suppressions | |
| - name: Install minimal runtime deps for headless browser | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends dbus-x11 xvfb libgtk-3-0 libnss3 libxss1 libasound2t64 libgbm1 | |
| - name: Run critical accessibility regression specs | |
| working-directory: ./frontend | |
| env: | |
| TERM: xterm | |
| A11Y_REGRESSION_GATE: "true" | |
| JWT_PRIVATE_KEY: ${{ secrets.JWT_PRIVATE_KEY }} | |
| JWT_PUBLIC_KEY: ${{ secrets.JWT_PUBLIC_KEY }} | |
| run: | | |
| dbus-run-session -- npx cypress run \ | |
| --config-file ./cypress.config.ci.js \ | |
| --headless \ | |
| --spec "cypress/e2e/agreementList.cy.js,cypress/e2e/agreementsPagination.cy.js,cypress/e2e/agreementDetails.cy.js,cypress/e2e/portfolioList.cy.js,cypress/e2e/portfolioDetail.cy.js,cypress/e2e/budgetLineItemsList.cy.js,cypress/e2e/createAgreement.cy.js,cypress/e2e/createAgreementWithValidations.cy.js,cypress/e2e/uploadDocument.cy.js,cypress/e2e/notificationCenter.cy.js" | |
| codeql-analysis: | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| name: CodeQL Scan | |
| uses: ./.github/workflows/security_codeql.yml | |
| semgrep-analysis: | |
| permissions: | |
| security-events: write | |
| name: Semgrep Scan | |
| uses: ./.github/workflows/security_semgrep.yml | |
| lint: | |
| name: Linting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: ./.github/actions/setup-python | |
| - name: Lint backend | |
| working-directory: ./backend/ops_api | |
| run: pipenv run nox -s lint | |
| - name: Check backend formatting (Black) | |
| working-directory: ./backend/ops_api | |
| run: pipenv run black --config ./pyproject.toml --check ops tests ./noxfile.py ../../performance_tests/locustfile.py | |
| - name: Check backend import sorting (isort) | |
| working-directory: ./backend/ops_api | |
| run: pipenv run isort --settings-file ./pyproject.toml --check-only --filter-files ops tests ./noxfile.py ../../performance_tests/locustfile.py | |
| - name: Install data_tools dependencies | |
| working-directory: ./backend/data_tools | |
| run: pipenv install --dev | |
| - name: Check data_tools formatting (Black) | |
| working-directory: ./backend/data_tools | |
| run: pipenv run black --config ./pyproject.toml --check . | |
| - name: Check data_tools import sorting (isort) | |
| working-directory: ./backend/data_tools | |
| run: pipenv run isort --settings-file ./pyproject.toml --check-only --filter-files . | |
| - uses: ./.github/actions/setup-javascript | |
| - name: Lint frontend | |
| working-directory: ./frontend | |
| run: bun lint | |
| - name: Check frontend formatting | |
| working-directory: ./frontend | |
| run: bun run prettier --check --ignore-unknown 'src/**/*' '!src/uswds/**' |