Docs: add security policy #4524
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Node.js Compile | |
| on: | |
| pull_request: | |
| workflow_call: | |
| inputs: | |
| ref: | |
| required: true | |
| type: string | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: 'Git ref (refs/heads/<branch>, refs/tags/<tag>, etc.) or SHA' | |
| required: true | |
| type: string | |
| concurrency: | |
| group: node-compile-${{ inputs.ref || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| ref: ${{ inputs.ref || github.sha || github.ref }} | |
| jobs: | |
| path-filter: | |
| permissions: | |
| pull-requests: read # dorny/paths-filter | |
| runs-on: ubuntu-latest | |
| outputs: | |
| changes: ${{ steps.filter.outputs.changes }} | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| - id: filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | |
| with: | |
| filters: | | |
| changes: | |
| - '.github/workflows/node-compile.yml' | |
| - 'packages/**' | |
| - 'scripts/compile.ts' | |
| - 'src/**' | |
| - '*' | |
| node-compile: | |
| name: node-compile (${{ matrix.os }}, ${{ matrix.docker_arch || matrix.go_arch || 'default' }}) | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.changes == 'true' || github.event_name != 'pull_request' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # docker manifest inspect node:<version> | jq '.manifests[].platform' | |
| - os: ubuntu-latest | |
| docker_arch: linux/amd64 | |
| - os: ubuntu-latest | |
| docker_arch: linux/arm64/v8 | |
| - os: macos-15-intel | |
| - os: macos-latest | |
| - os: windows-latest | |
| go_arch: amd64 | |
| - os: windows-11-arm | |
| go_arch: arm64 | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 20 | |
| steps: | |
| # Setup and install | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| # TODO(cemmer): Windows won't cross-compile (including using 'baseline'): https://github.com/oven-sh/bun/issues/28327 | |
| - id: bun-uri | |
| shell: bash | |
| run: | | |
| set -x | |
| BUN_TARGET=$(node --print 'process.platform')-$(node --print 'process.arch') | |
| BUN_TARGET=${BUN_TARGET/win32/windows} | |
| BUN_TARGET=${BUN_TARGET/arm64/aarch64} | |
| BUN_TARGET=${BUN_TARGET/-x64/-x64-baseline} | |
| echo "BUN_URI=https://github.com/oven-sh/bun/releases/download/bun-v$(cat .bun-version)/bun-${BUN_TARGET}.zip" >> "${GITHUB_OUTPUT}" | |
| - if: ${{ !startsWith(matrix.os, 'ubuntu') }} | |
| uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 | |
| with: | |
| bun-version-file: ".bun-version" | |
| bun-download-url: ${{ steps.bun-uri.outputs.BUN_URI }} | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| # Compile and upload | |
| - if: ${{ startsWith(matrix.os, 'ubuntu') }} | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| - id: linux-vars | |
| if: ${{ startsWith(matrix.os, 'ubuntu') }} | |
| run: | | |
| set -x | |
| echo "VOLTA_NODE=$(jq --raw-output '.volta.node' package.json)" >> "${GITHUB_OUTPUT}" | |
| echo "BUN_VERSION=$(cat .bun-version)" >> "${GITHUB_OUTPUT}" | |
| DOCKER_ARCH=${{ matrix.docker_arch }} | |
| DOCKER_ARCH=${DOCKER_ARCH/linux\//} | |
| DOCKER_ARCH=${DOCKER_ARCH//\//} | |
| echo "DOCKER_ARCH=${DOCKER_ARCH}" >> "${GITHUB_OUTPUT}" | |
| NPM_PKG_VERSION=$(npm pkg get version | sed 's/"//g') | |
| BIN_OUTPUT="igir-${NPM_PKG_VERSION}-${{ runner.os }}-${DOCKER_ARCH}.tar.gz" | |
| echo "BIN_OUTPUT=${BIN_OUTPUT}" >> "${GITHUB_ENV}" | |
| - if: ${{ startsWith(matrix.os, 'ubuntu') }} | |
| uses: ./.github/actions/docker-run-action | |
| with: | |
| image: node:${{ steps.linux-vars.outputs.VOLTA_NODE }} | |
| shell: bash | |
| options: | | |
| --platform ${{ matrix.docker_arch }} | |
| --volume ${{ github.workspace }}:/build | |
| --env BUN_VERSION=${{ steps.linux-vars.outputs.BUN_VERSION }} | |
| --workdir /build | |
| run: | | |
| set -euo pipefail | |
| set -x | |
| uname -a | |
| curl -fsSL https://bun.com/install | bash -s "bun-v${BUN_VERSION}" | |
| export PATH="${HOME}/.bun/bin:$PATH" | |
| apt-get update | |
| apt-get install -y libsdl2-2.0-0 libsdl2-ttf-2.0-0 | |
| # Compile the executable and test it before compressing it | |
| npm ci --foreground-scripts | |
| npm run compile -- . igir | |
| rm -rf node_modules | |
| ./igir --help | |
| ./igir copy extract test clean report --dat test/fixtures/dats --input test/fixtures/roms --patch test/fixtures/patches --output e2e-extract | |
| ./igir copy zip test clean report --dat test/fixtures/dats --input test/fixtures/roms --patch test/fixtures/patches --output e2e-zip | |
| tar cvf - igir | gzip --best > "${{ env.BIN_OUTPUT }}" | |
| { | |
| echo '```text' | |
| ls -alh igir "${{ env.BIN_OUTPUT }}" | |
| echo '```' | |
| } >> "${GITHUB_STEP_SUMMARY:-/dev/null}" | |
| - if: ${{ startsWith(matrix.os, 'ubuntu') }} | |
| run: sudo chown -R "$(id -u):$(id -g)" . | |
| - if: ${{ startsWith(matrix.os, 'macos') }} | |
| run: | | |
| set -x | |
| NPM_PKG_VERSION=$(npm pkg get version | sed 's/"//g') | |
| NODE_ARCH=$(node --print 'process.arch') | |
| BIN_OUTPUT="igir-${NPM_PKG_VERSION}-${{ runner.os }}-${NODE_ARCH}.tar.gz" | |
| echo "BIN_OUTPUT=${BIN_OUTPUT}" >> "${GITHUB_ENV}" | |
| # Package the executable and test it before compressing it | |
| npm ci --foreground-scripts | |
| npm run compile -- . igir | |
| rm -rf node_modules | |
| ./igir --help | |
| ./igir copy extract test clean report --dat test/fixtures/dats --input test/fixtures/roms --patch test/fixtures/patches --output e2e-extract | |
| ./igir copy zip test clean report --dat test/fixtures/dats --input test/fixtures/roms --patch test/fixtures/patches --output e2e-zip | |
| tar cvf - igir | gzip --best > "${BIN_OUTPUT}" | |
| { | |
| echo '```text' | |
| ls -alh igir "${BIN_OUTPUT}" | |
| echo '```' | |
| } >> "${GITHUB_STEP_SUMMARY}" | |
| - if: ${{ startsWith(matrix.os, 'windows') }} | |
| shell: pwsh | |
| run: | | |
| Set-PSDebug -Trace 1 | |
| $NPM_PKG_VERSION=$(npm pkg get version).replace('"','') | |
| $NODE_ARCH=$(node --print 'process.arch') | |
| $BIN_OUTPUT="igir-$NPM_PKG_VERSION-${{ runner.os }}-${NODE_ARCH}.zip" | |
| echo "BIN_OUTPUT=${BIN_OUTPUT}" | Out-File -FilePath $env:GITHUB_ENV -Append # no need for -Encoding utf8 | |
| # Package the executable and test it before compressing it | |
| npm ci --foreground-scripts | |
| npm run compile -- . igir.exe | |
| Remove-Item node_modules -Recurse -Force | |
| .\igir.exe --help | |
| .\igir.exe copy extract test clean report --dat test\fixtures\dats --input test\fixtures\roms --patch test\fixtures\patches --output e2e-extract | |
| .\igir.exe copy zip test clean report --dat test\fixtures\dats --input test\fixtures\roms --patch test\fixtures\patches --output e2e-zip | |
| Compress-Archive -Path igir.exe -DestinationPath "${BIN_OUTPUT}" -CompressionLevel Optimal -Force | |
| echo "``````text" >> "${env:GITHUB_STEP_SUMMARY}" | |
| Get-ChildItem igir.exe >> "${env:GITHUB_STEP_SUMMARY}" | |
| Get-ChildItem "${BIN_OUTPUT}" >> "${env:GITHUB_STEP_SUMMARY}" | |
| echo "``````" >> "${env:GITHUB_STEP_SUMMARY}" | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: ${{ env.BIN_OUTPUT }} | |
| path: ${{ env.BIN_OUTPUT }} | |
| if-no-files-found: error | |
| retention-days: 7 | |
| release-update: | |
| needs: | |
| - node-compile | |
| if: ${{ github.event_name != 'pull_request' }} | |
| permissions: | |
| contents: write # actions/checkout, gh release upload | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Get the package version | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| - run: npm ci | |
| - run: echo "NPM_PKG_VERSION=$(npm pkg get version | sed 's/"//g')" >> "${GITHUB_ENV}" | |
| # Download and update | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| - run: gh release upload "v${{ env.NPM_PKG_VERSION }}" igir-*/* | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| # !!! This check should be required by GitHub !!! | |
| compile-status-check: | |
| needs: | |
| - path-filter | |
| - node-compile | |
| if: always() | |
| permissions: {} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1 | |
| with: | |
| jobs: ${{ toJSON(needs) }} | |
| allowed-skips: node-compile |