From 83add4e86d8fede9f03ec502fb176467c3749760 Mon Sep 17 00:00:00 2001
From: Evan Sims <evan.sims@okta.com>
Date: Tue, 26 Sep 2023 23:57:29 -0500
Subject: [PATCH] test: Migrate CI to GitHub (#523)

Co-authored-by: Steve Hobbs <steve.hobbs@okta.com>
---
 .gemrelease                      |  2 -
 .github/actions/setup/action.yml | 32 +++++++++++++++
 .github/dependabot.yml           |  9 +++--
 .github/workflows/codeql.yml     | 53 ++++++++++++++++++++++++
 .github/workflows/matrix.json    |  7 ++++
 .github/workflows/publish.yml    | 37 +++++++++++++++++
 .github/workflows/semgrep.yml    | 45 +++++++++++++++------
 .github/workflows/snyk.yml       | 47 ++++++++++++++++++++++
 .github/workflows/test.yml       | 69 ++++++++++++++++++++++++++++++++
 Gemfile.lock                     |  2 -
 auth0.gemspec                    |  1 -
 11 files changed, 284 insertions(+), 20 deletions(-)
 delete mode 100644 .gemrelease
 create mode 100644 .github/actions/setup/action.yml
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 .github/workflows/matrix.json
 create mode 100644 .github/workflows/publish.yml
 create mode 100644 .github/workflows/snyk.yml
 create mode 100644 .github/workflows/test.yml

diff --git a/.gemrelease b/.gemrelease
deleted file mode 100644
index 2815300d..00000000
--- a/.gemrelease
+++ /dev/null
@@ -1,2 +0,0 @@
-bump:
-  tag: true
\ No newline at end of file
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
new file mode 100644
index 00000000..5c457157
--- /dev/null
+++ b/.github/actions/setup/action.yml
@@ -0,0 +1,32 @@
+name: Build package
+description: Build the SDK package
+
+inputs:
+  ruby:
+    description: The Ruby version to use
+    required: false
+    default: 3.2
+  bundle-path:
+    description: The path to the bundle cache
+    required: false
+    default: vendor/bundle
+  bundler-cache:
+    description: Whether to use the bundler cache
+    required: false
+    default: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Configure Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ inputs.ruby }}
+        bundler-cache: ${{ inputs.bundle-cache }}
+
+    - name: Install dependencies
+      run: bundle check || bundle install
+      shell: bash
+      env:
+        BUNDLE_PATH: ${{ inputs.bundle-path }}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 32f056f4..f2df3e4c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +1,13 @@
 version: 2
 updates:
-
-  - package-ecosystem: "bundler" 
-    directory: "/" 
+  - package-ecosystem: "bundler"
+    directory: "/"
     schedule:
       interval: "daily"
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..be639066
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,53 @@
+name: CodeQL
+
+on:
+  merge_group:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "37 10 * * 2"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  analyze:
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ruby]
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/matrix.json b/.github/workflows/matrix.json
new file mode 100644
index 00000000..2e4e771c
--- /dev/null
+++ b/.github/workflows/matrix.json
@@ -0,0 +1,7 @@
+{
+  "include": [
+    { "ruby": "3.0" },
+    { "ruby": "3.1" },
+    { "ruby": "3.2" }
+  ]
+}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..da2a4ceb
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,37 @@
+name: Publish Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: The branch to release from.
+        required: true
+        default: master
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish to RubyGems
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Configure Ruby
+        uses: ./.github/actions/setup
+        with:
+          ruby: 3.2
+
+      - name: Publish to RubyGems
+        run: |
+          gem build *.gemspec
+          gem push *.gem
+        env:
+          GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 326471a6..fc7d2eeb 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -1,28 +1,49 @@
 name: Semgrep
 
 on:
-  pull_request: {}
-
+  merge_group:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
   push:
     branches:
       - master
-      - main
-
   schedule:
-    - cron: '0 * * * *'
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
-  semgrep:
-    name: Scan
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  run:
+    needs: authorize # Require approval before running on forked pull requests
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
     container:
       image: returntocorp/semgrep
-    if: (github.repository_owner == 'auth0')
-    
+
     steps:
-      - uses: actions/checkout@v3
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]'
-        run: semgrep ci
+      - run: semgrep ci
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
new file mode 100644
index 00000000..4b27ea3d
--- /dev/null
+++ b/.github/workflows/snyk.yml
@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  check:
+    needs: authorize
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 00000000..69a45f79
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,69 @@
+name: Build and Test
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+env:
+  CACHE_KEY: "${{ github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}"
+
+jobs:
+  configure:
+    name: Configure Build Matrix
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT
+
+  unit:
+    needs: configure
+
+    name: Run Unit Tests
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix: ${{ fromJson(needs.configure.outputs.matrix) }}
+
+    env:
+      DOMAIN: example.auth0.dev
+      CLIENT_ID: example-client
+      CLIENT_SECRET: example-secret
+      MASTER_JWT: example-jwt
+      BUNDLE_PATH: vendor/bundle
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure Ruby
+        uses: ./.github/actions/setup
+        with:
+          ruby: ${{ matrix.ruby }}
+
+      - name: Run tests
+        run: bundle exec rake test
+
+      - name: Upload coverage
+        if: matrix.ruby == '3.2'
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
diff --git a/Gemfile.lock b/Gemfile.lock
index 39dfa009..4e4d0dc6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -61,7 +61,6 @@ GEM
     fuubar (2.5.1)
       rspec-core (~> 3.0)
       ruby-progressbar (~> 1.4)
-    gem-release (0.7.4)
     guard (2.18.0)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
@@ -242,7 +241,6 @@ DEPENDENCIES
   dotenv-rails (~> 2.0)
   faker (~> 2.0)
   fuubar (~> 2.0)
-  gem-release (~> 0.7)
   guard-rspec (~> 4.5)
   irb
   pp
diff --git a/auth0.gemspec b/auth0.gemspec
index d1f1e6ab..ec7afa51 100644
--- a/auth0.gemspec
+++ b/auth0.gemspec
@@ -32,6 +32,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rack', '~> 2.1'
   s.add_development_dependency 'simplecov', '~> 0.9'
   s.add_development_dependency 'faker', '~> 2.0'
-  s.add_development_dependency 'gem-release', '~> 0.7'
   s.license = 'MIT'
 end