deduplicate #3953

	name: Code Review

	on:
	pull_request:
	branches: ['main']
	push:
	branches-ignore:
	- 'dependabot/*'

	jobs:
	lint:
	if: ${{ github.actor != 'dependabot[bot]' }}
	name: Lint
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version: '18'
	cache: 'yarn'

	- name: Install dependencies
	run: yarn ci

	- name: Check dep dupes
	run: yarn ci-dupe-check

	- name: Lint
	run: yarn lint-all

	sast:
	if: ${{ github.actor != 'dependabot[bot]' }}
	name: Security Scan
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialise CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: 'javascript'

	- name: Run CodeQL
	uses: github/codeql-action/analyze@v2

	sca:
	if: ${{ github.actor != 'dependabot[bot]' }}
	name: Dependency Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	# Fail the job on critical vulnerabiliies with fix available
	- name: Fail on critical vulnerabilities
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	hide-progress: true
	format: 'table'
	severity: 'CRITICAL'
	exit-code: '1'

	all-pass:
	if: ${{ github.actor != 'dependabot[bot]' }}
	name: All tests pass 🚀
	needs: ['lint', 'sast', 'sca']
	runs-on: ubuntu-latest
	steps:
	- run: echo ok

Provide feedback