Skip to content

Commit

Permalink
test: Migrate CI to GitHub (#523)
Browse files Browse the repository at this point in the history
Co-authored-by: Steve Hobbs <[email protected]>
  • Loading branch information
evansims and stevehobbsdev authored Sep 27, 2023
1 parent 8be3420 commit 83add4e
Show file tree
Hide file tree
Showing 11 changed files with 284 additions and 20 deletions.
2 changes: 0 additions & 2 deletions .gemrelease

This file was deleted.

32 changes: 32 additions & 0 deletions .github/actions/setup/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Build package
description: Build the SDK package

inputs:
ruby:
description: The Ruby version to use
required: false
default: 3.2
bundle-path:
description: The path to the bundle cache
required: false
default: vendor/bundle
bundler-cache:
description: Whether to use the bundler cache
required: false
default: true

runs:
using: composite

steps:
- name: Configure Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ inputs.ruby }}
bundler-cache: ${{ inputs.bundle-cache }}

- name: Install dependencies
run: bundle check || bundle install
shell: bash
env:
BUNDLE_PATH: ${{ inputs.bundle-path }}
9 changes: 6 additions & 3 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
version: 2
updates:

- package-ecosystem: "bundler"
directory: "/"
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "daily"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'daily'
53 changes: 53 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: CodeQL

on:
merge_group:
pull_request:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: "37 10 * * 2"

permissions:
actions: read
contents: read
security-events: write

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
analyze:
name: Check for Vulnerabilities
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
language: [ruby]

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- name: Checkout
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality

- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"
7 changes: 7 additions & 0 deletions .github/workflows/matrix.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"include": [
{ "ruby": "3.0" },
{ "ruby": "3.1" },
{ "ruby": "3.2" }
]
}
37 changes: 37 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Publish Release

on:
workflow_dispatch:
inputs:
branch:
description: The branch to release from.
required: true
default: master

permissions:
contents: read

jobs:
publish:
name: Publish to RubyGems
runs-on: ubuntu-latest
environment: release

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.inputs.branch }}

- name: Configure Ruby
uses: ./.github/actions/setup
with:
ruby: 3.2

- name: Publish to RubyGems
run: |
gem build *.gemspec
gem push *.gem
env:
GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
45 changes: 33 additions & 12 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,49 @@
name: Semgrep

on:
pull_request: {}

merge_group:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master
- main

schedule:
- cron: '0 * * * *'
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
semgrep:
name: Scan
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
needs: authorize # Require approval before running on forked pull requests

name: Check for Vulnerabilities
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep
if: (github.repository_owner == 'auth0')


steps:
- uses: actions/checkout@v3
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]'
run: semgrep ci
- run: semgrep ci
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
47 changes: 47 additions & 0 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Snyk

on:
merge_group:
workflow_dispatch:
pull_request_target:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
69 changes: 69 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Build and Test

on:
merge_group:
workflow_dispatch:
pull_request:
branches:
- master
push:
branches:
- master

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

env:
CACHE_KEY: "${{ github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}"

jobs:
configure:
name: Configure Build Matrix
runs-on: ubuntu-latest

outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}

steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- id: set-matrix
run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT

unit:
needs: configure

name: Run Unit Tests
runs-on: ubuntu-latest

strategy:
matrix: ${{ fromJson(needs.configure.outputs.matrix) }}

env:
DOMAIN: example.auth0.dev
CLIENT_ID: example-client
CLIENT_SECRET: example-secret
MASTER_JWT: example-jwt
BUNDLE_PATH: vendor/bundle

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Configure Ruby
uses: ./.github/actions/setup
with:
ruby: ${{ matrix.ruby }}

- name: Run tests
run: bundle exec rake test

- name: Upload coverage
if: matrix.ruby == '3.2'
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # [email protected]
2 changes: 0 additions & 2 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ GEM
fuubar (2.5.1)
rspec-core (~> 3.0)
ruby-progressbar (~> 1.4)
gem-release (0.7.4)
guard (2.18.0)
formatador (>= 0.2.4)
listen (>= 2.7, < 4.0)
Expand Down Expand Up @@ -242,7 +241,6 @@ DEPENDENCIES
dotenv-rails (~> 2.0)
faker (~> 2.0)
fuubar (~> 2.0)
gem-release (~> 0.7)
guard-rspec (~> 4.5)
irb
pp
Expand Down
1 change: 0 additions & 1 deletion auth0.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,5 @@ Gem::Specification.new do |s|
s.add_development_dependency 'rack', '~> 2.1'
s.add_development_dependency 'simplecov', '~> 0.9'
s.add_development_dependency 'faker', '~> 2.0'
s.add_development_dependency 'gem-release', '~> 0.7'
s.license = 'MIT'
end

0 comments on commit 83add4e

Please sign in to comment.