Open
Conversation
This is primarily for github actions but also running for npm just because.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uses a simple
npm citcommand for ci installation and running the npm-test command. (Which also necessitates the addition of package-lock.json.)Runs tests on push and pull events. (Push allows tests to run against branches that aren't even opened for PR. Also ensures tests run on tag events, and anything that lands on default branch.) Simple configuration is a bonus. It means "normal" PR branches will get duplicate test runs, but they actually run against different shas. (PR runs against the MERGE_HEAD whereas push runs against the branch HEAD) This can be valuable insight if only one of those jobs fail. Also configured to run on workflow_dispatch events so they can be manually triggered through the github web UI or cli if necessary. Also runs on a cron schedule. This is helpful for projects that don't see a lot of activity, because it will ensure any action related deprecation warnings will be caught sooner. Otherwise it can be months or years before another PR is opened to trigger the workflow.
Removes the travis configuration and updates the README build/test badge. (Also moves the badges below the description which makes the repo more consumable when repo URLs are unfurled by social sharing services, etc.)
Runs of this workflow can be found on the fork: https://github.com/jasonkarns/sh-semver/actions/runs/16526098577
Security considerations
This workflow pins actions to precise SHAs (rather than using branch or tag refs that can change underneath us or be compromised). This is the more secure and recommended approach. To ensure that the actions themselves get bumped, dependabot configuration is added and enabled. (Dependabot will also bump the trailing human-readable version comment next to each action SHA, so humans can see what the version actually is without needing to dereference the commit SHA.)
The workflows leverage the harden-runner action, which will audit any network activity of the actions. Presently, it's in audit mode and prints a report Job Summary:
Future enhancements can be made to lock down network activity to the minimal hosts necessary.
Also includes dependency-review action which will provide a report (Job Summary) for any dependency changes. This will serve to surface any dependency changes that try to sneak in via PR.