Docs: add security policy #4481
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs | |
| # https://hanxiao.io/2021/01/24/Speedup-CI-Workflow-in-Github-Actions-via-Strategy-Matrix/ | |
| name: Node.js Test | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: 'Git ref (refs/heads/<branch>, refs/tags/<tag>, etc.) or SHA' | |
| required: true | |
| type: string | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ inputs.ref || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| ref: ${{ inputs.ref || github.sha || github.ref }} | |
| jobs: | |
| path-filter: | |
| permissions: | |
| pull-requests: read # dorny/paths-filter | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should-test: ${{ steps.filter.outputs.should-test }} | |
| should-delete-prebuilds: ${{ steps.filter.outputs.should-delete-prebuilds }} | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| - id: filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | |
| with: | |
| filters: | | |
| should-test: | |
| - '.github/workflows/node-test.yml' | |
| - 'packages/**' | |
| - 'src/**' | |
| - 'test/**' | |
| - '**/*.ts' | |
| - '*' | |
| should-delete-prebuilds: | |
| - '.github/workflows/node-addon-prebuild.yml' | |
| - 'packages/zlib*/**' | |
| - 'packages/zstd*/**' | |
| - 'package*.json' | |
| - 'postinstall.mjs' | |
| node-lint: | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.should-test == 'true' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Setup and install | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| - run: npm ci --foreground-scripts | |
| - run: npm run lint | |
| # TODO(cemmer): check for deprecated dependencies | |
| # https://stackoverflow.com/questions/44097267/find-packages-that-give-deprecated-warning-npm | |
| node-unit: | |
| name: node-unit (${{ matrix.os }}, ${{ matrix.node-version || 'package.json' }}) | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.should-test == 'true' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ ubuntu-latest, ubuntu-24.04-arm, macos-latest, macos-15-intel, windows-latest, windows-11-arm ] | |
| node-version: [ '' ] | |
| include: | |
| - os: ubuntu-latest | |
| node-version: 22 | |
| - os: macos-latest | |
| node-version: 22 | |
| - os: windows-latest | |
| node-version: 22 | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 20 | |
| steps: | |
| # Setup and install | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| - run: npm ci --ignore-scripts | |
| - if: ${{ needs.path-filter.outputs.should-delete-prebuilds == 'true' }} | |
| shell: bash | |
| run: | | |
| rm -rf packages/*/addon* packages/*/prebuilds* | |
| - run: npm install --foreground-scripts | |
| - if: ${{ startsWith(matrix.os, 'ubuntu') }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libsdl2-2.0-0 libsdl2-ttf-2.0-0 | |
| # Test the source files | |
| - run: npm run test:unit | |
| bun-unit: | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.should-test == 'true' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| runs-on: macos-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 | |
| with: | |
| bun-version-file: ".bun-version" | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| - run: npm ci --ignore-scripts | |
| - if: ${{ runner.os == 'Linux' }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libsdl2-2.0-0 libsdl2-ttf-2.0-0 | |
| - run: npm run test:unit:bun | |
| node-e2e: | |
| name: node-e2e (${{ matrix.node-version || 'package.json' }}) | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.should-test == 'true' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| strategy: | |
| matrix: | |
| node-version: [ '', 22 ] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| # Setup and install | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ env.ref }} | |
| submodules: 'recursive' | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - id: npm-cache-dir | |
| shell: bash | |
| run: echo "dir=$(npm config get cache)" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ steps.npm-cache-dir.outputs.dir }} | |
| key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm- | |
| ${{ runner.os }}- | |
| - run: npm ci --foreground-scripts | |
| - run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libsdl2-2.0-0 libsdl2-ttf-2.0-0 | |
| # Test the built files | |
| - run: ./test/endToEndTest.sh | |
| node-license: | |
| needs: | |
| - path-filter | |
| if: ${{ needs.path-filter.outputs.should-test == 'true' }} | |
| permissions: | |
| contents: read # actions/checkout | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: volta-cli/action@615a78f6c83e116339c53b94f3f82b4d6c0b7d18 # v5.0.0 | |
| - run: | | |
| npx --yes license-checker-rseidelsohn@latest --production --excludePrivatePackages --onlyAllow '0BSD;Apache-2.0;Artistic-2.0;BlueOak-1.0.0;BSD-2-Clause;BSD-3-Clause;BSD-3-Clause-Clear;BSL-1.0;CC-BY-4.0;CC-BY-SA-4.0;CC0-1.0;CECILL-2.0;CECILL-2.1;ClArtistic;CNRI-Python-GPL-Compatible;EFL-2.0;EUDatagrid;FTL;GPL-2.0-or-later;GPL-3.0-only;GPL-3.0-or-later;HPND;ICU;IJG;Intel;ISC;LGPL-2.1-or-later;LGPL-3.0-only;LGPL-3.0-or-later;libpng-2.0;MIT;MIT-0;MPL-2.0;NCSA;Python-2.0;Ruby;SGI-B-2.0;Sleepycat;SMLNJ;Unicode-DFS-2016;Unlicense;UPL-1.0;Vim;W3C;WTFPL;X11;Zend-2.0;Zlib;zlib-acknowledgement;ZPL-2.1' | |
| npx --yes license-checker-rseidelsohn@latest --production --excludePrivatePackages --failOn 'AFL-1.1;AFL-1.2;AFL-2.0;AFL-2.1;AFL-3.0;AGPL-1.0-only;AGPL-1.0-or-later;AGPL-3.0-only;AGPL-3.0-or-later;Apache-1.0;Apache-1.1;Artistic-1.0;BSD-4-Clause;BSD-4-Clause-UC;BUSL-1.1;CC-BY-2.0;CC-BY-2.5;CC-BY-3.0;CC-BY-NC-1.0;CC-BY-NC-2.0;CC-BY-NC-2.5;CC-BY-NC-3.0;CC-BY-NC-4.0;CC-BY-NC-ND-4.0;CC-BY-NC-SA-4.0;CC-BY-ND-4.0;CC-BY-SA-1.0;CC-BY-SA-2.0;CC-BY-SA-2.5;CC-BY-SA-3.0;CDDL-1.0;CDDL-1.1;CPL-1.0;Elastic-2.0;EPL-1.0;EPL-2.0;EUPL-1.1;EUPL-1.2;GFDL-1.1-only;GFDL-1.1-or-later;GFDL-1.2-only;GFDL-1.2-or-later;GFDL-1.3-only;GFDL-1.3-or-later;GPL-1.0-only;GPL-2.0-only;IPL-1.0;MPL-1.0;MPL-1.1;MS-PL;MS-RL;NPL-1.0;NPL-1.1;OpenSSL;OSL-1.0;OSL-1.1;OSL-2.0;OSL-2.1;OSL-3.0;QPL-1.0;RPL-1.1;RPL-1.5;RPSL-1.0;SISSL;SPL-1.0;SSPL-1.0;Watcom-1.0' | |
| # !!! This check should be required by GitHub !!! | |
| test-status-check: | |
| needs: | |
| - path-filter | |
| - node-lint | |
| - node-unit | |
| - bun-unit | |
| - node-e2e | |
| - node-license | |
| if: always() | |
| permissions: {} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1 | |
| with: | |
| jobs: ${{ toJSON(needs) }} | |
| allowed-skips: node-lint, node-unit, bun-unit, node-e2e, node-license |