security: updated esm loader track instrumentation by url in a map instead of in url to avoid remote code executions #3406
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Node Agent CI | |
on: [push, pull_request, workflow_dispatch] | |
jobs: | |
skip_if_release: | |
runs-on: ubuntu-latest | |
outputs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
steps: | |
- id: skip_check | |
uses: fkirc/skip-duplicate-actions@v5 | |
with: | |
paths_ignore: '["NEWS.md", "changelog.json", "package.json", "package-lock.json"]' | |
skip_after_successful_duplicate: false | |
do_not_skip: '["workflow_dispatch", "pull_request"]' | |
lint: | |
needs: skip_if_release | |
if: needs.skip_if_release.outputs.should_skip != 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [lts/*] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run Linting | |
run: npm run lint | |
- name: Inspect Lockfile | |
run: npm run lint:lockfile | |
ci: | |
needs: skip_if_release | |
if: needs.skip_if_release.outputs.should_skip != 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [lts/*] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run CI Script Unit Tests | |
run: npm run unit:scripts | |
unit: | |
needs: skip_if_release | |
if: needs.skip_if_release.outputs.should_skip != 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run Unit Tests | |
run: npm run unit | |
- name: Archive Unit Test Coverage | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unit-tests-${{ matrix.node-version }} | |
path: ./coverage/unit/lcov.info | |
- name: Run ESM Unit Tests | |
if: matrix.node-version != '20.x' | |
run: npm run unit:esm | |
- name: Archive ESM Unit Test Coverage | |
uses: actions/upload-artifact@v3 | |
with: | |
name: esm-unit-tests-${{ matrix.node-version }} | |
path: ./coverage/esm-unit/lcov.info | |
integration: | |
needs: skip_if_release | |
if: needs.skip_if_release.outputs.should_skip != 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run Docker Services | |
run: npm run services | |
- name: Run Integration Tests | |
run: npm run integration | |
- name: Archive Integration Test Coverage | |
uses: actions/upload-artifact@v3 | |
with: | |
name: integration-tests-${{ matrix.node-version }} | |
path: ./coverage/integration/lcov.info | |
versioned: | |
needs: skip_if_release | |
if: needs.skip_if_release.outputs.should_skip != 'true' | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run Docker Services | |
run: npm run services | |
- name: Run Versioned Tests | |
run: TEST_CHILD_TIMEOUT=600000 npm run versioned | |
env: | |
VERSIONED_MODE: ${{ github.ref == 'refs/heads/main' && '--minor' || '--major' }} | |
JOBS: 4 # 2 per CPU seems to be the sweet spot in GHA (July 2022) | |
C8_REPORTER: lcovonly | |
- name: Archive Versioned Test Coverage | |
uses: actions/upload-artifact@v3 | |
with: | |
name: versioned-tests-${{ matrix.node-version }} | |
path: ./coverage/versioned/lcov.info | |
codecov: | |
needs: [unit, integration, versioned] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Download artifacts | |
uses: actions/download-artifact@v3 | |
- name: Post Unit Test Coverage | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
directory: unit-tests-${{ matrix.node-version }} | |
flags: unit-tests-${{ matrix.node-version }} | |
- name: Post ESM Unit Test Coverage | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
directory: esm-unit-tests-${{ matrix.node-version }} | |
flags: esm-unit-tests-${{ matrix.node-version }} | |
- name: Post Integration Test Coverage | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
directory: integration-tests-${{ matrix.node-version }} | |
flags: integration-tests-${{ matrix.node-version }} | |
- name: Post Versioned Test Coverage | |
uses: codecov/codecov-action@v3 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
directory: versioned-tests-${{ matrix.node-version }} | |
flags: versioned-tests-${{ matrix.node-version }} |