Skip to content

chore: address issue 1836 action items #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pranitaurlam wants to merge 6 commits into
base: main
Choose a base branch
from
+71 −24
Open

chore: address issue 1836 action items #1840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8780f4b
chore: Address Issue 1836 action items
pranitaurlam Apr 13, 2026
f408c80
chore: trigger CLA re-check
pranitaurlam Apr 13, 2026
d837395
chore: address reviewer feedback
pranitaurlam Apr 13, 2026
5295638
fix: remove OIDC from codecov and simplify coverage matrix to node 22
pranitaurlam Apr 13, 2026
e8f86a6
fix: skip CVE audit steps gracefully when OSS_INDEX secrets are not c…
pranitaurlam Apr 13, 2026
824ecb4
fix: use env var for secret check in CVE workflow to satisfy GitHub A…
pranitaurlam Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '37 20 * * 1'

permissions:
contents: read

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]

steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Initialize CodeQL
uses: github/codeql-action/init@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3
with:
category: "/language:${{matrix.language}}"
15 changes: 8 additions & 7 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,20 @@ jobs:

permissions:
contents: read
id-token: write
Copy link
Copy Markdown
Member

@bingenito bingenito Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is required when adding back the oidc which was removed erroneously. It can be put at a lower level, but it has to be here in combination with oidc for codecov upload to work without tokens.

pull-requests: write

strategy:
matrix:
node-version: [22]

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
Copy link
Copy Markdown
Member

@bingenito bingenito Apr 14, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These got downgraded. We really should add a dependabot config at least for actions if we don't want to do npm yet. I suspect this older version will also not work with oidc.


- name: Set up Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20.x
node-version: ${{ matrix.node-version }}

- name: Install dependencies
run: npm ci
Expand All @@ -40,6 +43,4 @@ jobs:
run: npm run test

- name: Codecov
uses: codecov/codecov-action@v6
with:
use_oidc: true
Copy link
Copy Markdown
Member

@bingenito bingenito Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We lost this. It has to be sent.

uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
Copy link
Copy Markdown
Member

@bingenito bingenito Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we have a build matrix, we will now have an issue that it will upload coverage for each entry of the build matrix overwriting the last. One fix for this is to upload with a to codecov that includes the matrix variable in it.

15 changes: 8 additions & 7 deletions .github/workflows/cve-scanning.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,12 @@ permissions:
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20]
Comment thread
kriswest marked this conversation as resolved.
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 22
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ matrix.node-version }}
node-version: 22

- run: npm install

Expand All @@ -44,8 +41,12 @@ jobs:
working-directory: website

- run: npx --yes auditjs ossi --whitelist allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }}
if: success() || failure()
env:
HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }}
if: (success() || failure()) && env.HAS_SECRET == 'true'

- run: npx --yes auditjs ossi --whitelist ../allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }}
working-directory: website
if: success() || failure()
env:
HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }}
if: (success() || failure()) && env.HAS_SECRET == 'true'
20 changes: 10 additions & 10 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ jobs:
publish_tag: ${{ steps.version.outputs.publish_tag }}
steps:
- name: Checkout repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Configure Node
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20
node-version: 22

- name: Install dependencies
run: npm ci
Expand Down Expand Up @@ -66,7 +66,7 @@ jobs:
ls -1 *.tgz

- name: Upload packed artifacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: npm-tarballs
path: |
Expand All @@ -80,15 +80,15 @@ jobs:
needs: build_and_pack
steps:
- name: Download packed artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: npm-tarballs
path: ./dist-tarballs

- name: Configure Node for npmjs.org
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20
node-version: 22
Copy link
Copy Markdown
Member

@bingenito bingenito Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we change this to 24 (the publishing node version), we can remote the NODE_AUTH_TOKEN from the npm publish env variables and it will use oidc and trusted publishing for free. Trusted publishing requires a new version of npm with node 24.

Copy link
Copy Markdown
Contributor

@kriswest kriswest Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm definitely OK with moving forward to node 24 (and trusted publishing) sooner rather than later.

registry-url: https://registry.npmjs.org
always-auth: true

Expand All @@ -111,15 +111,15 @@ jobs:
needs: build_and_pack
steps:
- name: Download packed artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: npm-tarballs
path: ./dist-tarballs

- name: Configure Node for GitHub Packages
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20
node-version: 22
registry-url: https://npm.pkg.github.com
scope: '@finos'
always-auth: true
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
[![Slack](https://img.shields.io/badge/slack-@finos/fdc3-green.svg?logo=slack)](https://finos-lf.slack.com/messages/fdc3/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6579/badge)](https://bestpractices.coreinfrastructure.org/projects/6579)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/finos/FDC3/badge)](https://scorecard.dev/viewer/?uri=github.com/finos/FDC3)
[![Codecov](https://codecov.io/gh/finos/FDC3/branch/main/graph/badge.svg)](https://codecov.io/gh/finos/FDC3)

## What Is It?

Expand Down
Loading