From 8780f4b55a10de1ddbb0500d55dc47304d15c5c8 Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 09:57:13 +0530 Subject: [PATCH 1/6] chore: Address Issue 1836 action items - Update Node test matrix to [22, 24, 25] in cve-scanning and coverage workflows - Pin GitHub Actions dependencies - Add CodeCov coverage badge to README.md - Add CodeQL workflow for OpenSSF scorecard --- .github/workflows/codeql.yml | 44 ++++++++++++++++++++++++++++++ .github/workflows/coverage.yml | 12 +++++--- .github/workflows/cve-scanning.yml | 2 +- .github/workflows/release.yml | 20 +++++++------- README.md | 1 + 5 files changed, 64 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..af782e331 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '37 20 * * 1' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index c5586c878..a70261caf 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -21,14 +21,18 @@ jobs: id-token: write pull-requests: write + strategy: + matrix: + node-version: [22, 24, 25] + steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20.x + node-version: ${{ matrix.node-version }} - name: Install dependencies run: npm ci @@ -40,6 +44,6 @@ jobs: run: npm run test - name: Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: use_oidc: true diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml index da3c29b1a..88dc563c2 100644 --- a/.github/workflows/cve-scanning.yml +++ b/.github/workflows/cve-scanning.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - node-version: [20] + node-version: [22, 24, 25] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Use Node.js ${{ matrix.node-version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ada3d0a8..40236d53c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,12 +19,12 @@ jobs: publish_tag: ${{ steps.version.outputs.publish_tag }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Configure Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 - name: Install dependencies run: npm ci @@ -66,7 +66,7 @@ jobs: ls -1 *.tgz - name: Upload packed artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: npm-tarballs path: | @@ -80,15 +80,15 @@ jobs: needs: build_and_pack steps: - name: Download packed artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-tarballs path: ./dist-tarballs - name: Configure Node for npmjs.org - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 registry-url: https://registry.npmjs.org always-auth: true @@ -111,15 +111,15 @@ jobs: needs: build_and_pack steps: - name: Download packed artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-tarballs path: ./dist-tarballs - name: Configure Node for GitHub Packages - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 registry-url: https://npm.pkg.github.com scope: '@finos' always-auth: true diff --git a/README.md b/README.md index df6ad9304..0c4da1896 100755 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ [![Slack](https://img.shields.io/badge/slack-@finos/fdc3-green.svg?logo=slack)](https://finos-lf.slack.com/messages/fdc3/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6579/badge)](https://bestpractices.coreinfrastructure.org/projects/6579) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/finos/FDC3/badge)](https://scorecard.dev/viewer/?uri=github.com/finos/FDC3) +[![Codecov](https://codecov.io/gh/finos/FDC3/branch/main/graph/badge.svg)](https://codecov.io/gh/finos/FDC3) ## What Is It? From f408c804c20bc28c3a527afc8f4a8a3034ab9ce6 Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 10:37:21 +0530 Subject: [PATCH 2/6] chore: trigger CLA re-check --- toolbox/fdc3-conformance/webpack.config.js | 1 + 1 file changed, 1 insertion(+) diff --git a/toolbox/fdc3-conformance/webpack.config.js b/toolbox/fdc3-conformance/webpack.config.js index 98444ec7b..2a34ee2c3 100644 --- a/toolbox/fdc3-conformance/webpack.config.js +++ b/toolbox/fdc3-conformance/webpack.config.js @@ -68,3 +68,4 @@ module.exports = () => { } return config; }; +// trigger From d837395ea39722fe34fc623862fbb12715b8d20c Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 13:52:36 +0530 Subject: [PATCH 3/6] chore: address reviewer feedback - Remove '// trigger' comment from webpack.config.js - Pin codeql-action steps to commit SHA - Simplify cve-scanning to use node 22 only (no matrix) --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/cve-scanning.yml | 7 ++----- toolbox/fdc3-conformance/webpack.config.js | 1 - 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index af782e331..7d1b05dcc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,14 +31,14 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml index 88dc563c2..1bb3b31b0 100644 --- a/.github/workflows/cve-scanning.yml +++ b/.github/workflows/cve-scanning.yml @@ -25,15 +25,12 @@ permissions: jobs: build: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [22, 24, 25] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 22 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: - node-version: ${{ matrix.node-version }} + node-version: 22 - run: npm install diff --git a/toolbox/fdc3-conformance/webpack.config.js b/toolbox/fdc3-conformance/webpack.config.js index 2a34ee2c3..98444ec7b 100644 --- a/toolbox/fdc3-conformance/webpack.config.js +++ b/toolbox/fdc3-conformance/webpack.config.js @@ -68,4 +68,3 @@ module.exports = () => { } return config; }; -// trigger From 52956383012abd8b9879e4e3c0dbdec07fbf5452 Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 19:05:04 +0530 Subject: [PATCH 4/6] fix: remove OIDC from codecov and simplify coverage matrix to node 22 --- .github/workflows/coverage.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index a70261caf..7297495bd 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -18,12 +18,11 @@ jobs: permissions: contents: read - id-token: write pull-requests: write strategy: matrix: - node-version: [22, 24, 25] + node-version: [22] steps: - name: Checkout repository @@ -45,5 +44,3 @@ jobs: - name: Codecov uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 - with: - use_oidc: true From e8f86a6b9c8e8441cb3e6e1174f76f7b54a6fbe8 Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 22:50:52 +0530 Subject: [PATCH 5/6] fix: skip CVE audit steps gracefully when OSS_INDEX secrets are not configured --- .github/workflows/cve-scanning.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml index 1bb3b31b0..a7bab05c2 100644 --- a/.github/workflows/cve-scanning.yml +++ b/.github/workflows/cve-scanning.yml @@ -41,8 +41,8 @@ jobs: working-directory: website - run: npx --yes auditjs ossi --whitelist allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} - if: success() || failure() + if: (success() || failure()) && secrets.OSS_INDEX_USERNAME != '' - run: npx --yes auditjs ossi --whitelist ../allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} working-directory: website - if: success() || failure() + if: (success() || failure()) && secrets.OSS_INDEX_USERNAME != '' From 824ecb4f32753fa6c2ac1866ed7ee5ffc95d3f03 Mon Sep 17 00:00:00 2001 From: urlam pranita Date: Mon, 13 Apr 2026 23:01:24 +0530 Subject: [PATCH 6/6] fix: use env var for secret check in CVE workflow to satisfy GitHub Actions syntax --- .github/workflows/cve-scanning.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml index a7bab05c2..ecb3b21d0 100644 --- a/.github/workflows/cve-scanning.yml +++ b/.github/workflows/cve-scanning.yml @@ -41,8 +41,12 @@ jobs: working-directory: website - run: npx --yes auditjs ossi --whitelist allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} - if: (success() || failure()) && secrets.OSS_INDEX_USERNAME != '' + env: + HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }} + if: (success() || failure()) && env.HAS_SECRET == 'true' - run: npx --yes auditjs ossi --whitelist ../allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} working-directory: website - if: (success() || failure()) && secrets.OSS_INDEX_USERNAME != '' + env: + HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }} + if: (success() || failure()) && env.HAS_SECRET == 'true'