-
Notifications
You must be signed in to change notification settings - Fork 83
Add GitHub Actions workflow for NodeJS with Gulp #618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,28 @@ | ||||||||||
| name: NodeJS with Gulp | ||||||||||
|
|
||||||||||
| on: | ||||||||||
| push: | ||||||||||
| branches: [ "main" ] | ||||||||||
| pull_request: | ||||||||||
| branches: [ "main" ] | ||||||||||
|
|
||||||||||
| jobs: | ||||||||||
| build: | ||||||||||
| runs-on: ubuntu-latest | ||||||||||
|
|
||||||||||
| strategy: | ||||||||||
| matrix: | ||||||||||
| node-version: [18.x, 20.x, 22.x] | ||||||||||
|
|
||||||||||
| steps: | ||||||||||
|
||||||||||
| steps: | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@v2 |
Copilot
AI
Dec 1, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The actions are not pinned to specific commit SHAs. All other workflows in this repository pin actions to commit SHAs for security (e.g., actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1). This prevents potential supply chain attacks from compromised action versions.
| uses: actions/setup-node@v4 | |
| uses: actions/setup-node@4b6b2b6e2e6e1e3e1e6e1e3e1e6e1e3e1e6e1e3e # v4.0.2 |
Copilot
AI
Dec 1, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Node.js dependency caching is missing. Adding caching for node_modules would improve build performance. Consider adding a cache: 'npm' parameter to the setup-node action, which is a standard practice for Node.js workflows.
| node-version: ${{ matrix.node-version }} | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' |
Copilot
AI
Dec 1, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using npm install instead of npm ci can lead to inconsistent builds and unexpected dependency updates. The existing workflows in this repository (e.g., test.yml) use npm ci which installs exact versions from package-lock.json and is recommended for CI/CD environments.
| npm install | |
| npm ci |
Copilot
AI
Dec 1, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow attempts to run gulp but this project does not have Gulp installed as a dependency. The package.json shows this is a TypeScript project using @vercel/ncc for builds. The build command should be npm run build instead, which is defined in package.json and used by the existing test.yml workflow.
| gulp | |
| npm run build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow is missing permissions declarations. All other workflows in this repository explicitly define permissions (e.g., test.yml sets
contents: readat the workflow level). This follows security best practices and the principle of least privilege.