ci: add dependency review, security scan, type check, and release jobs to GitHub Actions workflow

lposen · lposen · commit 1d7c66cc23a2 · 2025-05-06T20:29:55.000-07:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,6 +11,42 @@ on:
       - checks_requested
 
 jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v3
+        with:
+          fail-on-severity: high
+
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+
+  type-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Type check
+        run: yarn tsc --noEmit
+
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -94,6 +130,27 @@ jobs:
 
       - name: Build package
         run: yarn prepare
+
+  release:
+    needs: [build-library, test, lint, type-check]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Create Release Pull Request or Publish to npm
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          publish: yarn release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
   misspell:
     name: runner / misspell
     runs-on: ubuntu-latest
