nodejs.org/.github/workflows/lint-and-tests.yml at b035290373d4bfd6c5c9f38ef3aeb9e32fc3577f · adamlaska/nodejs.org · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# Security Notes
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
# REVIEWERS, please always double-check security practices before merging a PR that contains workflow changes!!
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.

name: Linting and Tests

# This workflow should run either on `merge_group`, `pull_request`, or `push` events
# since we want to run lint checks against any changes on pull requests, or the final patch on merge groups
# or if direct pushes happen to main (or when changes in general land on the `main` (default) branch)
# Note that the reason why we run this on pushes against `main` is that on rare cases, maintainers might do direct pushes against `main`

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  merge_group:

# The permissions specified below apply to workflows triggered by `merge_group`, `push`, and `pull_request` events that originate from the same repository (non-fork).
# However, workflows triggered by `pull_request` events from forked repositories are treated differently for security reasons:
# - These workflows **do not** have access to any secrets configured in the repository.
# - They are also **not granted any permissions** to perform actions on the base repository.
#
# This is a deliberate security restriction designed to prevent potential abuse through malicious pull requests from forks.
# For a deeper explanation and best practices for securing your GitHub Actions workflows, particularly against so-called "pwn requests",
# refer to https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
permissions:
  contents: read
  actions: read

env:
  # See https://turbo.build/repo/docs/reference/command-line-reference/run#--cache-dir
  TURBO_ARGS: --cache-dir=.turbo/cache

jobs:
  lint:
    name: Quality checks
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

      - name: Git Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Restore Lint Cache
        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            .turbo/cache
            .eslintmdcache
            .stylelintcache
            .prettiercache
          # We want to restore Turborepo Cache and ESlint and Prettier Cache
          # The ESLint and Prettier cache's are useful to reduce the overall runtime of ESLint and Prettier
          # as they will only run on files that have changed since the last cached run
          # this might of course lead to certain files not being checked against the linter, but the chances
          # of such situation from happening are very slim as the checksums of both files would need to match
          key: cache-lint-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('.turbo/cache/**') }}
          restore-keys: |
            cache-lint-${{ hashFiles('pnpm-lock.yaml') }}-
            cache-lint-

      - name: Set up pnpm
        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Set up Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          # We want to ensure that the Node.js version running here respects our supported versions
          node-version-file: '.nvmrc'
          cache: 'pnpm'

      - name: Install packages
        run: pnpm install --frozen-lockfile

      - name: Run quality checks with `turbo`
        # We run the ESLint and Prettier commands on all Workflow triggers of the `Lint` job, besides if
        # the Pull Request comes from a Crowdin Branch, as we don't want to run ESLint and Prettier on Crowdin PRs
        # Note: Linting and Prettifying of files on Crowdin PRs is handled by the `translations-pr.yml` Workflow
        if: |
          (github.event_name == 'push' || github.event_name == 'merge_group') ||
          (github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'chore/crowdin')
        run: node_modules/.bin/turbo lint lint:types prettier ${{ env.TURBO_ARGS }}

      - name: Save Lint Cache
        # We only want to save caches on `push` events or `pull_request_target` events
        # and if it is a `pull_request_target` event, we want to avoid saving the cache if the PR comes from Dependabot
        # or if it comes from an automated Crowdin Pull Request
        # The reason we save caches on `push` is because caches creates on `main` (default) branches can be reused within
        # other Pull Requests and PRs coming from forks
        if: |
          github.event_name == 'push' ||
          (github.event_name == 'pull_request' &&
            startsWith(github.event.pull_request.head.ref, 'dependabot/') == false &&
            github.event.pull_request.head.ref != 'chore/crowdin')
        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: |
            .turbo/cache
            .eslintmdcache
            .stylelintcache
            .prettiercache
          key: cache-lint-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('.turbo/cache/**') }}

  tests:
    name: Tests
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
        with:
          egress-policy: audit

      - name: Git Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up pnpm
        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0

      - name: Set up Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          # We want to ensure that the Node.js version running here respects our supported versions
          node-version-file: '.nvmrc'
          cache: 'pnpm'

      - name: Install packages
        run: pnpm install --frozen-lockfile

      - name: Run Unit Tests
        # We want to run Unit Tests in every circumstance, including Crowdin PRs and Dependabot PRs to ensure
        # that changes to dependencies or translations don't break the Unit Tests
        run: node --run test:ci -- ${{ env.TURBO_ARGS }}

      - name: Upload test coverage to Codecov
        if: ${{ !cancelled() && github.event_name != 'merge_group' }}
        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
        with:
          files: ./apps/site/lcov.info,./packages/*/lcov.info

      - name: Upload test results to Codecov
        if: ${{ !cancelled() && github.event_name != 'merge_group' }}
        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
        with:
          files: ./apps/site/junit.xml,./packages/*/junit.xml