mango banner (#243) #551

	name: 'Main branch CI'

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]

	jobs:
	sast:
	name: Static Security Tests
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialise CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: 'javascript'

	- name: Run CodeQL
	uses: github/codeql-action/analyze@v3

	sca:
	if: ${{ github.actor != 'dependabot[bot]' }}
	name: Dependency Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	# Fail the job on critical vulnerabiliies with fix available
	- name: Fail on critical vulnerabilities
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	hide-progress: true
	format: 'table'
	severity: 'CRITICAL'
	exit-code: '1'

	test:
	name: Run Tests
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: 20
	cache: yarn

	- name: Cache dependencies
	uses: actions/cache@v4
	with:
	path: '**/node_modules'
	key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

	- name: Install dependencies
	run: yarn ci

	- name: Run tests
	run: yarn test-all

	pass:
	name: All tests pass
	needs: ['sast', 'sca', 'test']
	runs-on: ubuntu-latest
	steps:
	- run: echo ok

Provide feedback