Merge branch 'main' into feat/add-codeql

nodejs · Aug 31, 2023 · 3aacf62 · 3aacf62
2 parents a75f7ba + 0caaa80
commit 3aacf62
Show file tree

Hide file tree

Showing 71 changed files with 682 additions and 3,455 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -27,5 +27,5 @@ Please follow this check list to ensure that you've followed all items before op
 - [ ] I have read the [Contributing Guidelines](https://github.com/nodejs/nodejs.org/blob/main/CONTRIBUTING.md) and made commit messages that follow the guideline.
 - [ ] I have run `npx turbo lint` to ensure the code follows the style guide. And run `npx turbo lint:fix` to fix the style errors if necessary.
 - [ ] I have run `npx turbo format` to ensure the code follows the style guide.
-- [ ] I have run `npx turbo test` to check if all tests are passing, and/or `npx turbo test:snapshot` to update snapshots if I created and/or updated React Components.
+- [ ] I have run `npx turbo test` to check if all tests are passing.
 - [ ] I've covered new added functionality with unit tests if necessary.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,7 +10,11 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
+    branches:
+      - main
+    types:
+      - labeled
   merge_group:
 
 defaults:
@@ -24,6 +28,12 @@ permissions:
 
 jobs:
   base:
+    # This Job ensures that these jobs run either on regular Pull Request Updates
+    # Or if the PR gets labeled with `github_actions:pull-request`
+    if: |
+      github.event.action != 'labeled' ||
+      (github.event.action == 'labeled' && github.event.label.name == 'github_actions:pull-request')
+
     name: Base Tasks
     runs-on: ubuntu-latest
     outputs:
@@ -38,6 +48,12 @@ jobs:
         run: echo "turbo_args=--force=true --cache-dir=.turbo/cache" >> "$GITHUB_OUTPUT"
 
   build:
+    # This Job ensures that these jobs run either on regular Pull Request Updates
+    # Or if the PR gets labeled with `github_actions:pull-request`
+    if: |
+      github.event.action != 'labeled' ||
+      (github.event.action == 'labeled' && github.event.label.name == 'github_actions:pull-request')
+
     name: Build on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     needs: [base]
@@ -79,7 +95,7 @@ jobs:
             cache-build-
 
       - name: Set up Node.js
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d
         with:
           # We want to ensure that the Node.js version running here respects our supported versions
           node-version-file: '.nvmrc'
@@ -103,39 +119,26 @@ jobs:
           NODE_OPTIONS: '--max_old_space_size=4096'
 
       - name: Build Next.js (Static)
+        # Assigns an ID to be reused on other steps
+        id: build_nextjs_static
         # We want a Static Buid on CI to ensure that the Static Exports are working as expected
         # This build will use the existing cache created on the previous build above (ISR)
         # We want to enforce that the actual `turbo@latest` package is used instead of a possible hijack from the user
         # the `${{ needs.base.outputs.turbo_args }}` is a string substitution happening from the base job
+        if: |
+          github.event_name == 'pull_request_target' &&
+          startsWith(github.event.pull_request.head.ref, 'dependabot/') == false
         run: npx --package=turbo@latest -- turbo deploy ${{ needs.base.outputs.turbo_args }}
         env:
           # We want to ensure we have enough RAM allocated to the Node.js process
           # this should be a last resort in case by any chances the build memory gets too high
           # but in general this should never happen
           NODE_OPTIONS: '--max_old_space_size=4096'
 
-      - name: Analyse Build
-        id: analyse_build
-        # We don't need build analysis for Dependabot PRs and also when the GitHub Event is not a Pull Request
-        # i.e. if the Event is a Merge Queue Event
-        if: startsWith(github.event.pull_request.head.ref, 'dependabot/') == false && github.event_name == 'pull_request'
-        # We generate a Bundle Analysis Report
-        # See https://github.com/hashicorp/nextjs-bundle-analysis
-        run: npx [email protected] report
-
-      - name: Upload Build Analysis
-        # This prevents this step from running if "Analyse Build" got cancelled; Which gets cancelled if
-        # the curruent branch comes from Dependabot or the Event is not a Pull Request (i.e. Merge Queue Event)
-        if: steps.analyse_build.outcome == 'success'
-        # We upload the Bundle Analysis Artifact so it can be used on another Workflow
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
-        with:
-          name: bundle-analysis
-          path: .next/analyze/__bundle_analysis.json
-
       - name: Save Build Cache
-        # This prevents this step from running if Upload Build Analysis" got cancelled
-        if: steps.analyse_build.outcome == 'success'
+        # This prevents this step from running if "Next.js Build (Static)" got cancelled; Which gets cancelled if
+        # the curruent branch comes from Dependabot or the Event is not a Pull Request (i.e. Merge Queue Event)
+        if: steps.build_nextjs_static.outcome == 'success'
         uses: actions/cache/save@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
         with:
           path: |

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,30 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: Review Dependencies
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+
+      - name: Git Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5
+
+      - name: Review Dependencies
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml