Merge pull request #4249 from alphagov/dependabot/npm_and_yarn/access… #10465
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous integration | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
ref: | |
description: 'The branch, tag or SHA to checkout' | |
default: main | |
type: string | |
jobs: | |
codeql-sast: | |
name: CodeQL SAST scan | |
uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main | |
permissions: | |
security-events: write | |
dependency-review: | |
name: Dependency Review scan | |
uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main | |
security-analysis: | |
name: Security Analysis | |
uses: alphagov/govuk-infrastructure/.github/workflows/brakeman.yml@main | |
secrets: inherit | |
permissions: | |
contents: read | |
security-events: write | |
actions: read | |
# This matrix job runs the test suite against multiple Ruby versions | |
test_matrix: | |
strategy: | |
fail-fast: false | |
matrix: | |
ruby: [3.2, 3.3] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ inputs.ref || github.ref }} | |
# Clone the publishing-api repo, a dependency of the govuk_schemas gem, for content schemas | |
- uses: actions/checkout@v4 | |
with: | |
repository: alphagov/publishing-api | |
ref: main | |
path: tmp/publishing-api | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ matrix.ruby }} | |
bundler-cache: true | |
cache-version: 1 | |
- uses: actions/setup-node@v4.0.3 | |
with: | |
node-version: lts/* # use the latest LTS release | |
cache: yarn | |
- run: yarn install --frozen-lockfile | |
- run: bundle exec rake | |
env: | |
GOVUK_CONTENT_SCHEMAS_PATH: tmp/publishing-api/content_schemas | |
# This job is needed to work around the fact that matrix jobs spawn multiple status checks – i.e. one job per variant. | |
# The branch protection rules depend on this as a composite job to ensure that all preceding test_matrix checks passed. | |
# Solution taken from: https://github.saobby.my.eu.orgmunity/t/status-check-for-a-matrix-jobs/127354/3 | |
test: | |
needs: test_matrix | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "All matrix tests have passed 🚀" | |
release: | |
needs: test | |
runs-on: ubuntu-latest | |
if: ${{ github.ref == 'refs/heads/main' }} | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
rubygems: latest | |
- uses: actions/setup-node@v4.0.3 | |
with: | |
node-version: lts/* # use the latest LTS release | |
- run: yarn install | |
- env: | |
GEM_HOST_API_KEY: ${{ secrets.ALPHAGOV_RUBYGEMS_API_KEY }} | |
run: | | |
VERSION=$(ruby -e "puts eval(File.read('govuk_publishing_components.gemspec')).version") | |
GEM_VERSION=$(gem list --exact --remote govuk_publishing_components) | |
if [ "${GEM_VERSION}" != "govuk_publishing_components (${VERSION})" ]; then | |
gem build govuk_publishing_components.gemspec | |
gem push "govuk_publishing_components-${VERSION}.gem" | |
fi | |
if ! git ls-remote --tags --exit-code origin v${VERSION}; then | |
git tag v${VERSION} | |
git push --tags | |
fi |