CI(security): supply chain security (#2513) #189
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'coverage_baseline' | |
| # The code-coverage-report-action uses workflow artifacts to store the coverage report. | |
| # The action will upload the coverage report as an artifact, | |
| # and the action will also download the coverage report from the artifact in PRs. | |
| # The action will then compare the coverage report from the PR with the coverage report from the base branch. | |
| # For this to work, the action needs to be run on the base branch after each pushed commit | |
| # or at least once before the artifact retention period ends. | |
| on: | |
| # Allow for manual runs | |
| workflow_dispatch: | |
| # Runs at 00:00, on day 1 of the month (every ~30 days) | |
| schedule: | |
| - cron: '0 0 1 * *' | |
| push: | |
| branches: | |
| - main | |
| # Disable permissions for all of the available permissions | |
| permissions: {} | |
| jobs: | |
| generate: | |
| runs-on: ubuntu-latest | |
| env: | |
| TEST_PRESET: all | |
| steps: | |
| - uses: actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 | |
| - uses: subosito/flutter-action@4cab68ce0f1c7c924f688bff4792e044f1aeb30c | |
| with: | |
| cache: true | |
| - run: | | |
| chmod +x ./scripts/prepare_pinning_certs.sh | |
| ./scripts/prepare_pinning_certs.sh | |
| - name: Install proxy for tests | |
| run: sudo apt-get update && sudo apt-get install -y squid | |
| - run: dart pub get | |
| - uses: bluefireteam/melos-action@705015c3d2bc4ab94201ac24accb2bbe070cf533 | |
| with: | |
| run-bootstrap: false | |
| melos-version: '^6.0.0' | |
| - name: Check satisfied packages | |
| run: | | |
| dart ./scripts/melos_packages.dart | |
| echo $(cat .melos_packages) >> $GITHUB_ENV | |
| - name: Melos Bootstrap | |
| run: melos bootstrap | |
| # Tests | |
| - run: ./scripts/prepare_pinning_certs.sh | |
| - name: Install proxy for tests | |
| run: sudo apt-get update && sudo apt-get install -y squid mkcert | |
| - name: Start local httpbun | |
| run: | | |
| mkcert -install | |
| mkcert -cert-file '/tmp/cert.pem' -key-file '/tmp/key.pem' httpbun.local | |
| echo '127.0.0.1 httpbun.local' | sudo tee --append /etc/hosts | |
| docker run \ | |
| --name httpbun \ | |
| --detach \ | |
| --publish 443:443 \ | |
| --volume /tmp:/tmp:ro \ | |
| --env HTTPBUN_TLS_CERT=/tmp/cert.pem \ | |
| --env HTTPBUN_TLS_KEY=/tmp/key.pem \ | |
| --pull always \ | |
| sharat87/httpbun | |
| sleep 1 | |
| curl --fail --silent --show-error https://httpbun.local/any | |
| - name: Use httpbun.local for tests | |
| run: melos run httpbun:local | |
| - name: '[Verify step] Test Dart packages [VM]' | |
| run: melos run test:vm | |
| - name: Use httpbun.com for Web/Flutter tests | |
| run: melos run httpbun:com | |
| - name: '[Verify step] Test Dart packages [Chrome]' | |
| run: melos run test:web:chrome | |
| - name: '[Verify step] Test Dart packages [Firefox]' | |
| run: melos run test:web:firefox | |
| - name: '[Verify step] Test Flutter packages' | |
| run: melos run test:flutter | |
| - name: '[Coverage] Generate report' | |
| run: melos run coverage:combine | |
| - uses: clearlyip/code-coverage-report-action@9e2cd22e39153feba8b4477e4fefcc0b5e2727ba | |
| with: | |
| filename: 'coverage/cobertura.xml' |