Check code quality #11933
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check code quality | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| workflow_dispatch: | |
| # see: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue#configuring-continuous-integration-ci-workflows-for-merge-queues | |
| merge_group: | |
| # cancel previous runs if new changes are pushed to the branch/PR | |
| # see: https://stackoverflow.com/a/72408109 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| TURBO_TOKEN: ${{ secrets.TURBO_REMOTE_CACHE__TURBO_TOKEN }} | |
| permissions: | |
| contents: read | |
| checks: read | |
| jobs: | |
| # We run the build first standalone to ensure everything is cached for all other jobs | |
| build: | |
| name: Build and Cache | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: "🛃 Harden the runner (Audit all outbound calls)" | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: "🛒 Checkout Repository" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: ./.github/templates/node-setup | |
| - name: 🛠️ Build packages | |
| run: pnpm run build:all | |
| check: | |
| name: Check code quality | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: "🛃 Harden the runner (Audit all outbound calls)" | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: "🛒 Checkout Repository" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # needed when building VitePress docs so timestamps can be calculated correctly | |
| fetch-depth: 0 | |
| - uses: ./.github/templates/node-setup | |
| - name: 🔎 Lint | |
| run: pnpm run lint:ci:all | |
| # we must continue on error here so the eslint results are uploaded to GitHub in the next step. | |
| continue-on-error: true | |
| - name: ⬆️ Upload eslint results to GitHub | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: eslint-results.sarif | |
| wait-for-processing: true | |
| category: "/tool:eslint" | |
| - name: 🎨 Check formatting | |
| run: pnpm run format:check:all | |
| - name: 🛠️ Build packages | |
| run: pnpm run build:all | |
| - name: 🚨 Run unit tests | |
| run: pnpm run test:all | |
| # make sure that publint is only run after all packages have been built | |
| - name: 📋 Run publint | |
| run: pnpm run publint:all | |
| # scan CSS build for browser compatibility issues | |
| - name: 💅 Run stylelint | |
| run: pnpm run stylelint | |
| - name: ⬆️ Upload code coverage artifact | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| if: always() # needed to also upload test results when they failed (useful for debugging) | |
| with: | |
| name: coverage | |
| path: coverage | |
| screenshots: | |
| if: github.ref != 'refs/heads/main' | |
| needs: build | |
| name: Component tests | |
| uses: ./.github/workflows/playwright.yml | |
| secrets: inherit | |
| permissions: | |
| contents: write | |
| with: | |
| # On PRs: Run tests only for changed files. | |
| # This means that for merge_groups, which are required to be run before the merge, all tests are executed. | |
| only-changed: ${{ (github.event.pull_request.base.ref && format('origin/{0}', github.event.pull_request.base.ref)) }} | |
| codeql: | |
| name: CodeQL | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: "🛃 Harden the runner (Audit all outbound calls)" | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: "🛒 Checkout Repository" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| languages: javascript-typescript | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| category: "/tool:CodeQL" | |
| dependency-review: | |
| name: "Dependency Review" | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: "🛃 Harden the runner (Audit all outbound calls)" | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: "🛒 Checkout Repository" | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Dependency Review" | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| comment-summary-in-pr: on-failure |