feat(search): forbid private fields based on OAuth scopes (#10579) #25648
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
env: | |
TZ: UTC | |
CI: true | |
OC_ENV: ci | |
NODE_ENV: test | |
AWS_KEY: ${{ secrets.AWS_KEY }} | |
AWS_SECRET: ${{ secrets.AWS_SECRET }} | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run lint:check | |
prettier: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run prettier:check | |
typescript: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run type:check | |
depcheck: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run depcheck | |
ts-unused-exports: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- name: Cache build | |
uses: actions/cache@v4 | |
with: | |
path: dist | |
key: ${{ runner.os }}-api-build-${{ github.sha }} | |
- name: Check unused exports | |
run: npm run ts-unused-exports | |
build: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- name: Cache build | |
uses: actions/cache@v4 | |
with: | |
path: dist | |
key: ${{ runner.os }}-api-build-${{ github.sha }} | |
- name: Build | |
run: npm run build | |
test: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
services: | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
options: --entrypoint redis-server | |
postgres: | |
image: postgres:16.6 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_DB: postgres | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run db:restore | |
- run: npm run db:migrate | |
# We have to specify OPENSSL_CONF=/dev/null for html-pdf to work | |
# We can remove it once we tackle https://github.com/opencollective/opencollective/issues/7622 | |
- run: OPENSSL_CONF=/dev/null npm run test -- --ignore "test/server/graphql/**" | |
- name: Report coverage | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
flags: Unit | |
test-graphql: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
services: | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
options: --entrypoint redis-server | |
postgres: | |
image: postgres:16.6 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_DB: postgres | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
elastic: | |
image: elasticsearch:8.15.2 | |
ports: | |
- 9200:9200 | |
env: | |
discovery.type: single-node | |
xpack.security.enabled: false | |
options: >- | |
--health-cmd="curl --silent --fail http://localhost:9200/_cluster/health || exit 1" | |
--health-interval=10s | |
--health-timeout=15s | |
--health-retries=30 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- run: npm run db:restore | |
- run: npm run db:migrate | |
- run: npm run test:graphql | |
- name: Report coverage | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
flags: GraphQL | |
schema-update: | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
services: | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
options: --entrypoint redis-server | |
postgres: | |
image: postgres:16.6 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_DB: postgres | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: 'package.json' | |
cache: 'npm' | |
- name: Restore node_modules | |
uses: actions/cache@v4 | |
id: api-node-modules | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-api-node-modules-${{ hashFiles('package-lock.json') }}-${{ secrets.CACHE_VERSION }} | |
- name: Install dependencies | |
if: steps.api-node-modules.outputs.cache-hit != 'true' | |
run: npm ci --prefer-offline --no-audit | |
- name: Generate & check schemas | |
run: ./scripts/check-schemas.sh | |
graphql-inspector: | |
name: GraphQL Inspector | |
runs-on: ubuntu-latest | |
services: | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
options: --entrypoint redis-server | |
postgres: | |
image: postgres:16.6 | |
env: | |
POSTGRES_USER: postgres | |
POSTGRES_DB: postgres | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: GraphQL Inspector (V1) | |
uses: kamilkisiela/[email protected] | |
with: | |
name: 'GraphQL Inspector - Schema v1' | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
schema: 'main:server/graphql/schemaV1.graphql' | |
fail-on-breaking: false | |
- name: GraphQL Inspector (V2) | |
uses: kamilkisiela/[email protected] | |
with: | |
name: 'GraphQL Inspector - Schema v2' | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
schema: 'main:server/graphql/schemaV2.graphql' | |
fail-on-breaking: false |