Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: update workflows #1471

Merged
merged 4 commits into from
Jun 19, 2022
Merged

ci: update workflows #1471

merged 4 commits into from
Jun 19, 2022

Conversation

Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Jun 19, 2022

This PR:

  • Removes Git credentials/SSH keys after checkout as a security precaution by setting persist-credentials to false, they are not used after the initial checkout
  • Adds --ignore-scripts option to npm install commands to protect against malicious scripts in dependencies
  • Moves the actions/dependency-review-action into the main ci.yml workflow, and deletes the old dependency-review.yml workflow (brings it more into line with Fastify's CI style and makes it easier to maintain)
  • Declares the minimum permissions for CI workflows to run at either the workflow or job level, following principle of least privilege; see related GitHub security post
  • Enables concurrency in ci.yml; see related docs, this allows a subsequently queued workflow run to interrupt previous runs in PRs
  • Removes the Snyk badge from the readme, as the actions/dependency-review-action does the same thing as Snyk, so it is no longer needed
  • Uses the latest GitHub .gitignore template, whilst also adding the pnpm lockfile
  • Sets the Node version used in bench.yml to lts/*, so it will always test with the current LTS, and it doesn't need to be updated when the LTS changes
  • Adds a conditional if to the automerge job in ci.yml; this stops the job from running if the user is not Dependabot, saving a few seconds CI run time

@Fdawgs
Copy link
Member Author

Fdawgs commented Jun 19, 2022

@mcollina as discussed, this is part of improving Pino's repo CI and bringing it up to Fastify's standard. If happy with this PR i'll make equivalents in the other repos.

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina
Copy link
Member

go for it! This is amazing work!

@jsumners
Copy link
Member

Please put some stuff in the .github repo so that:

  1. This stuff doesn't fill up my inbox so frequently in the future
  2. We can effectively implements rolling Node LTS support across all repos

@github-actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants