chore(deps): update node.js to v24.8.0 #5643
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Node CI | |
| on: | |
| pull_request: | |
| paths: | |
| - '.github/workflows/nodejs.yml' | |
| - '.nvmrc' | |
| - '.pnpmfile.cjs' | |
| - '.versions/node_*' | |
| - 'bin/**' | |
| - 'data/**' | |
| - 'index.cjs' | |
| - 'lib/**' | |
| - 'package.json' | |
| - 'pnpm-lock.yaml' | |
| - '!**.poku.js' | |
| - 'devenv*' | |
| push: | |
| branches: | |
| - master | |
| - release/* | |
| tags: | |
| - 'v*' | |
| paths: | |
| - '.github/workflows/nodejs.yml' | |
| - '.nvmrc' | |
| - '.pnpmfile.cjs' | |
| - '.versions/node_*' | |
| - 'bin/**' | |
| - 'data/**' | |
| - 'index.cjs' | |
| - 'lib/**' | |
| - 'package.json' | |
| - 'pnpm-lock.yaml' | |
| - '!**.poku.js' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| NEXUS_URL: http://100.73.146.80:8081/repository/npm/ | |
| # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token | |
| permissions: {} | |
| jobs: | |
| read-node-versions: | |
| runs-on: 'ubuntu-latest' | |
| outputs: | |
| node-versions: ${{ steps.read-versions.outputs.versions }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - id: read-versions | |
| run: VERSIONS=[`awk 'BEGIN {ORS=""}; NR>2 && NR%2==0 {print ","}; FNR==2 {print "'\''"$1"'\''"}' .versions/node_*`]; echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT" | |
| matrix-unit-test: | |
| needs: read-node-versions | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: ${{ fromJSON(needs.read-node-versions.outputs.node-versions) }} | |
| os: ['ubuntu-22.04', 'ubuntu-24.04', 'windows-latest', 'windows-11-arm', 'ubuntu-22.04-arm', 'ubuntu-24.04-arm', 'macos-15', 'macos-latest'] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 | |
| - name: Use Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: pnpm install, build and test | |
| run: | | |
| pnpm install --config.strict-dep-builds=true | |
| pnpm test | |
| env: | |
| CI: true | |
| NPM_CONFIG_PROVENANCE: true | |
| depscan: | |
| continue-on-error: true | |
| runs-on: ["self-hosted", "ubuntu", "arm64"] | |
| permissions: | |
| contents: write # needed for creating GH releases and uploading release assets | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java-version: ['24'] | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: 3.12 | |
| - name: Set up JDK ${{ matrix.java-version }} | |
| uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: ${{ matrix.java-version }} | |
| - name: Trim CI agent | |
| run: | | |
| rm -rf /tmp/docker-images-* /tmp/atom-usages-* /tmp/atom-reachables-* | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 | |
| - name: Setup Nexus usage | |
| run: echo "registry=$NEXUS_URL" > .npmrc | |
| - name: pnpm install | |
| run: | | |
| pnpm install --config.strict-dep-builds=true | |
| python3 -m pip install --pre owasp-depscan[all] atom-tools | |
| - name: check sbom for vulns | |
| if: github.ref == 'refs/heads/master' | |
| run: | | |
| node bin/cdxgen.js -t php -t js -t jar -t ruby -o $(pwd)/reports/sbom-build.cdx.json --include-formulation --export-proto --proto-bin-file $(pwd)/reports/sbom-build.cdx.proto --exclude "**/test/**" --profile research $(pwd) | |
| docker pull ghcr.io/cyclonedx/cdxgen:master | |
| node bin/cdxgen.js -t docker -o $(pwd)/reports/sbom-container-js.cdx.json ghcr.io/cyclonedx/cdxgen:master | |
| depscan --src $(pwd) --bom-dir $(pwd)/reports --reports-dir $(pwd)/reports --reachability-analyzer SemanticReachability --explain | |
| env: | |
| COLUMNS: 140 | |
| CDXGEN_DEBUG_MODE: debug | |
| JAVA_TOOL_OPTIONS: "-XX:UseSVE=0 -Dfile.encoding=UTF-8" | |
| - name: Generate atom and slices | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| node bin/cdxgen.js -t php -t js -t jar -t ruby -o $(pwd)/reports/sbom-build.cdx.json --include-formulation --export-proto --proto-bin-file $(pwd)/reports/sbom-build.cdx.proto --exclude "**/test/**" --profile research $(pwd) | |
| - name: Upload atom and slices | |
| uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| reports/js-app.atom | |
| reports/js-reachables.slices.json | |
| reports/js-usages.slices.json | |
| reports/sbom-build.cdx.json | |
| reports/sbom-build.cdx.proto | |
| deno-build: | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| os: [windows, macos, ubuntu] | |
| include: | |
| - os: windows | |
| build: | | |
| deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,osRelease,homedir --allow-write --allow-net --include=./data --include=./package.json --output cdxgenx.exe bin/cdxgen.js | |
| .\cdxgenx.exe --help | |
| (Get-FileHash .\cdxgenx.exe).hash | Out-File -FilePath .\cdxgenx.exe.sha256 | |
| # deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,osRelease,homedir --allow-write --allow-net --node-modules-dir=auto --allow-ffi --allow-scripts=npm:@appthreat/[email protected] --include=./data --include=./package.json --include=node_modules/sqlite3/build/Release --output evinse.exe bin/evinse.js | |
| # .\evinse.exe --help | |
| # (Get-FileHash .\evinse.exe).hash | Out-File -FilePath .\evinse.exe.sha256 | |
| artifact: cdxgenx.exe | |
| - os: macos | |
| build: | | |
| deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net --include=./data --include=./package.json --target aarch64-apple-darwin --output cdxgenx-darwin-arm64 bin/cdxgen.js | |
| shasum -a 256 cdxgenx-darwin-arm64 > cdxgenx-darwin-arm64.sha256 | |
| ./cdxgenx-darwin-arm64 --help | |
| # deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net --node-modules-dir=auto --allow-ffi --allow-scripts=npm:@appthreat/[email protected] --include=./data --include=./package.json --include=node_modules/sqlite3/build/Release --target aarch64-apple-darwin --output evinse-darwin-arm64 bin/evinse.js | |
| # shasum -a 256 evinse-darwin-arm64 > evinse-darwin-arm64.sha256 | |
| # ./evinse-darwin-arm64 --help | |
| artifact: cdxgenx-darwin-arm64 | |
| - os: ubuntu | |
| build: | | |
| deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net --include=./data --include=./package.json --output cdxgenx bin/cdxgen.js | |
| shasum -a 256 cdxgenx > cdxgenx.sha256 | |
| chmod + cdxgenx | |
| ./cdxgenx --help | |
| # deno compile --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net --node-modules-dir=auto --allow-ffi --allow-scripts=npm:@appthreat/[email protected] --include=./data --include=./package.json --include=node_modules/sqlite3/build/Release --output evinse bin/evinse.js | |
| # shasum -a 256 evinse > evinse.sha256 | |
| # chmod + evinse | |
| # ./evinse --help | |
| artifact: cdxgenx | |
| runs-on: ${{ matrix.os }}-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 | |
| - name: Use Node.js | |
| uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | |
| with: | |
| node-version-file: .nvmrc | |
| - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3 | |
| with: | |
| deno-version: 2.4.0 | |
| - name: pnpm install, build and test | |
| run: | | |
| pnpm install:frozen | |
| - name: deno compile | |
| run: | | |
| deno info bin/cdxgen.js | |
| deno info bin/evinse.js | |
| mkdir build | |
| ${{ matrix.build }} | |
| continue-on-error: true | |
| devenv: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [macos-15] | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: cachix/install-nix-action@7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 # v31.6.1 | |
| - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 | |
| with: | |
| name: devenv | |
| - name: Install devenv.sh | |
| run: nix profile install nixpkgs#devenv | |
| - name: Build the devenv shell | |
| run: | | |
| mkdir -p $HOME/.local/share/pnpm/global | |
| echo "$HOME/.local/share/pnpm/global" >> $GITHUB_PATH | |
| devenv test | |
| - name: Install dependencies | |
| run: devenv shell pnpm install --config.strict-dep-builds=true | |
| - name: Run test | |
| run: devenv shell pnpm test |