fix(j-s): Defender Case File Access #58640
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Monorepo pipeline - pull request | |
| on: | |
| pull_request: {} | |
| workflow_dispatch: {} | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-a-fallback-value | |
| group: pullrequest-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| COMPOSE_HTTP_TIMEOUT: 180 | |
| GITHUB_ACTIONS_CACHE_URL: https://cache.dev01.devland.is/ | |
| SKIP_GENERATED_CACHE: ${{ contains(github.event.pull_request.labels.*.name, 'skip-generated-cache') }} | |
| NX_AFFECTED_ALL: ${{ contains(github.event.pull_request.labels.*.name, 'nx-affected-all') }} | |
| jobs: | |
| prepare: | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 35 | |
| env: | |
| AFFECTED_ALL: ${{ secrets.AFFECTED_ALL }} | |
| CHUNK_SIZE: 7 | |
| SERVERSIDE_FEATURES_ON: '' | |
| outputs: | |
| TEST_CHUNKS: ${{ steps.test_projects.outputs.CHUNKS }} | |
| E2E_CHUNKS: ${{ steps.e2e_projects.outputs.CHUNKS }} | |
| E2E_BUILD_ID: ${{ steps.e2e_projects.outputs.BUILD_ID }} | |
| LINT_CHUNKS: ${{ steps.lint_projects.outputs.CHUNKS }} | |
| UNAFFECTED: ${{ steps.unaffected.outputs.UNAFFECTED }} | |
| BUILD_CHUNKS: ${{ steps.build_projects.outputs.CHUNKS }} | |
| BUILD_MAP: ${{ steps.build_map.outputs.BUILD_MAP }} | |
| node-modules-hash: ${{ steps.calculate_node_modules_hash.outputs.node-modules-hash }} | |
| generated-files-cache-key: ${{ steps.calculate_generated_files_cache_key.outputs.generated-files-cache-key }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Check node version | |
| run: | | |
| node -v | |
| ls -l `which node` | |
| - name: Checking out relevant branches | |
| run: | | |
| git checkout $GITHUB_HEAD_REF | |
| git checkout $GITHUB_BASE_REF | |
| git checkout $GITHUB_SHA | |
| git config --global user.email "ci@island.is" | |
| git config --global user.name "CI Bot" | |
| BASE_SHA=$(git merge-base HEAD $GITHUB_BASE_REF) | |
| HEAD_SHA=$(git merge-base HEAD $GITHUB_HEAD_REF) | |
| echo Current base SHA is $BASE_SHA and head SHA is $HEAD_SHA | |
| echo "{\"base_sha\": \"$BASE_SHA\", \"head_sha\":\"$HEAD_SHA\"}" > event.json | |
| - name: Keep PR run event | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: pr-event | |
| path: event.json | |
| retention-days: 60 | |
| - name: Calculate cache key for node modules | |
| id: calculate_node_modules_hash | |
| run: | | |
| HASH="$(./scripts/ci/get-node-modules-hash.mjs)" | |
| echo "node-modules-hash: ${HASH}" | |
| echo "node-modules-hash=${HASH}" >> $GITHUB_OUTPUT | |
| - name: Calculate cache keys for generated files | |
| id: calculate_generated_files_cache_key | |
| run: | | |
| export HASH=$(./scripts/_hash-generated-files.sh) | |
| export GENERATED_FILES_KEY=${{ runner.os }}-$HASH-files-generated-03 | |
| echo "GENERATED_FILES_KEY: $GENERATED_FILES_KEY" | |
| echo "generated-files-cache-key=$GENERATED_FILES_KEY" >> $GITHUB_OUTPUT | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ steps.calculate_node_modules_hash.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Building NodeJS dependencies | |
| if: steps.node-modules.outputs.cache-hit != 'true' | |
| run: ./scripts/ci/10_prepare-host-deps.sh | |
| - run: | | |
| echo "HEAD=$GITHUB_SHA" >> $GITHUB_ENV | |
| export HEAD_REF="$GITHUB_HEAD_REF" | |
| export BASE_REF="$GITHUB_BASE_REF" | |
| export PR_REF=$GITHUB_SHA | |
| export SHELL=/usr/bin/bash | |
| export WORKFLOW_ID=pullrequest | |
| source ./scripts/ci/00_prepare-base-tags.sh $(git merge-base HEAD $GITHUB_BASE_REF) | |
| git checkout $GITHUB_SHA | |
| echo "BASE=$BASE" >> $GITHUB_ENV | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HTML_URL: ${{ github.event.pull_request.html_url }} | |
| ISSUE_REPORTING_SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_ISSUES_REPORTING_WEBHOOK_URL }} | |
| name: Preparing HEAD and BASE tags | |
| - name: Cache for cypress | |
| id: cypress | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: /github/home/.cache/Cypress | |
| key: cypress-cache-${{ steps.calculate_node_modules_hash.outputs.node-modules-hash }} | |
| - name: Check cypress cache success | |
| run: '[[ "${{ steps.cypress.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Verify cypress | |
| id: cypress-check | |
| run: npx cypress verify | |
| continue-on-error: true | |
| - name: Install cypress | |
| if: steps.cypress-check.outcome != 'success' | |
| run: npx cypress install | |
| - name: Cache for generated files | |
| id: generated-files-cache | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: generated_files.tar.gz | |
| key: ${{ steps.calculate_generated_files_cache_key.outputs.generated-files-cache-key }} | |
| # force-cache-save: ${{ env.SKIP_GENERATED_CACHE }} | |
| - name: Check generated files cache success | |
| run: '[[ "${{ steps.generated-files-cache.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Run codegen | |
| if: steps.generated-files-cache.outputs.cache-hit != 'true' | |
| run: | | |
| node --version | |
| tar zcvf generated_files.tar.gz $(./scripts/ci/get-files-touched-by.sh yarn codegen --skip-cache | xargs realpath --relative-to $(pwd)) | |
| # - name: Security audit Node modules | |
| # run: ./scripts/ci/20_security-audit.sh | |
| - name: License audit Node modules | |
| run: ./scripts/ci/20_license-audit.sh | |
| - name: Check user permissions | |
| uses: actions-cool/check-user-permission@v2 | |
| id: check-permission | |
| - name: Set magic env if test-everything label is set | |
| if: ${{ contains(github.event.pull_request.labels.*.name, 'test everything') && steps.check-permission.outputs['user-permission'] == 'admin' }} | |
| run: | | |
| echo "AFFECTED_ALL=7913-$GITHUB_HEAD_REF" >> $GITHUB_ENV | |
| - name: Warn if user does not have the required permissions | |
| if: ${{ contains(github.event.pull_request.labels.*.name, 'test everything') && steps.check-permission.outputs['user-permission'] != 'admin' }} | |
| run: | | |
| echo "## WARN permissions" >> "$GITHUB_STEP_SUMMARY" | |
| echo "User $GITHUB_ACTOR does not have the required permissions to apply the 'test everything' label" >> "$GITHUB_STEP_SUMMARY" | |
| - name: Prepare lint targets | |
| id: lint_projects | |
| run: | | |
| CHUNKS=$(./scripts/ci/generate-chunks.sh lint) | |
| if [[ $CHUNKS != "[]" ]]; then | |
| echo "CHUNKS={\"projects\":$CHUNKS}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Prepare test targets | |
| id: test_projects | |
| run: | | |
| CHUNKS=$(./scripts/ci/generate-chunks.sh test) | |
| if [[ $CHUNKS != "[]" ]]; then | |
| echo "CHUNKS={\"projects\":$CHUNKS}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Prepare e2e targets | |
| id: e2e_projects | |
| env: | |
| CHUNK_SIZE: 1 | |
| run: | | |
| CHUNKS=$(./scripts/ci/generate-chunks.sh e2e-ci) | |
| if [[ $CHUNKS != "[]" ]]; then | |
| echo "CHUNKS={\"projects\":$CHUNKS}" >> $GITHUB_OUTPUT | |
| fi | |
| echo "BUILD_ID=$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-$(uuidgen)" >> $GITHUB_OUTPUT | |
| - name: Prepare build targets | |
| id: build_projects | |
| env: | |
| CHUNK_SIZE: 4 | |
| run: | | |
| CHUNKS=$(./scripts/ci/generate-chunks.sh build) | |
| if [[ $CHUNKS != "[]" ]]; then | |
| echo "CHUNKS={\"projects\":$CHUNKS}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Check release-manager approval | |
| id: check-release-manager-approval | |
| if: ${{ contains(github.event.pull_request.labels.*.name, 'automerge') && contains(github.event.pull_request.head.ref, '/pre-release/') }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| node -r esbuild-register .github/actions/check-team-approval.ts release-managers | |
| tests: | |
| needs: | |
| - prepare | |
| if: needs.prepare.outputs.TEST_CHUNKS | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 35 | |
| env: | |
| AFFECTED_PROJECTS: ${{ matrix.projects }} | |
| MAX_JOBS: 3 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.prepare.outputs.TEST_CHUNKS) }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Cache for generated files | |
| id: generated-files-cache | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: generated_files.tar.gz | |
| key: ${{ needs.prepare.outputs.generated-files-cache-key }} | |
| - name: Check generated-files cache success | |
| run: '[[ "${{ steps.generated-files-cache.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Untar generated files | |
| run: tar zxvf generated_files.tar.gz | |
| - uses: ./.github/actions/unit-test | |
| with: | |
| dd-api-key: '${{ secrets.DD_API_KEY }}' | |
| codecov-token: ${{ secrets.CODECOV_TOKEN }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| docker-registry: 821090935708.dkr.ecr.eu-west-1.amazonaws.com/ | |
| e2e: | |
| needs: | |
| - prepare | |
| if: needs.prepare.outputs.E2E_CHUNKS | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 35 | |
| env: | |
| AFFECTED_PROJECT: ${{ matrix.projects }} | |
| CYPRESS_PROJECT_ID: 4q7jz8 | |
| CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} | |
| API_MOCKS: 'true' | |
| NODE_OPTIONS: --max-old-space-size=4096 | |
| E2E_BUILD_ID: '${{ needs.prepare.outputs.E2E_BUILD_ID }}-${{ github.run_attempt }}' | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.prepare.outputs.E2E_CHUNKS) }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Cache for cypress | |
| id: cypress | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: /github/home/.cache/Cypress | |
| key: cypress-cache-${{ needs.prepare.outputs.node-modules-hash }} | |
| - name: Check cypress cache success | |
| run: '[[ "${{ steps.cypress.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Cache for generated files | |
| id: generated-files-cache | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: generated_files.tar.gz | |
| key: ${{ needs.prepare.outputs.generated-files-cache-key }} | |
| - name: Check generated-files cache success | |
| run: '[[ "${{ steps.generated-files-cache.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Untar generated files | |
| run: tar zxvf generated_files.tar.gz | |
| - name: Running e2e tests | |
| run: ./scripts/ci/40_e2e.sh ${AFFECTED_PROJECT} | |
| linting-workspace: | |
| needs: | |
| - prepare | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Linting workspace | |
| run: ./scripts/ci/20_lint-workspace.sh | |
| run-shellcheck: | |
| needs: | |
| - prepare | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Run ShellCheck | |
| uses: ludeeus/action-shellcheck@2.0.0 | |
| with: | |
| ignore_paths: >- | |
| node_modules | |
| apps/native/app/android | |
| severity: warning | |
| formatting: | |
| needs: | |
| - prepare | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| token: ${{ secrets.DIRTY_FIX_BOT_TOKEN }} | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| - uses: actions/checkout@v3 | |
| if: ${{ github.ref == 'ref/heads/main' }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: NX format:check | |
| if: ${{ github.ref == 'ref/heads/main' }} | |
| run: ./scripts/ci/20_check-formatting.sh "check" | |
| - name: NX format:write | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| ./scripts/ci/20_check-formatting.sh "write" | |
| ./infra/scripts/ci/git-check-dirty.sh "/" "nx format:write" "dirtybot" | |
| linting: | |
| needs: | |
| - prepare | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 35 | |
| if: needs.prepare.outputs.LINT_CHUNKS | |
| env: | |
| AFFECTED_PROJECTS: ${{ matrix.projects }} | |
| NODE_OPTIONS: --max-old-space-size=4096 | |
| MAX_JOBS: 3 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.prepare.outputs.LINT_CHUNKS) }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Cache for generated files | |
| id: generated-files-cache | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: generated_files.tar.gz | |
| key: ${{ needs.prepare.outputs.generated-files-cache-key }} | |
| - name: Check generated-files cache success | |
| run: '[[ "${{ steps.generated-files-cache.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Untar generated files | |
| run: tar zxvf generated_files.tar.gz | |
| - name: Linting | |
| run: ./scripts/ci/run-in-parallel-native.sh lint | |
| build: | |
| needs: | |
| - prepare | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| timeout-minutes: 35 | |
| env: | |
| AFFECTED_PROJECTS: ${{ matrix.projects }} | |
| MAX_JOBS: 2 | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.prepare.outputs.BUILD_CHUNKS) }} | |
| if: needs.prepare.outputs.BUILD_CHUNKS | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: 'package.json' | |
| - name: Setup yarn | |
| run: npm install -g yarn | |
| - name: Cache for NodeJS dependencies - host OS | |
| id: node-modules | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: node_modules | |
| key: ${{ needs.prepare.outputs.node-modules-hash }}-yarn | |
| - name: Check node-modules cache success | |
| run: '[[ "${{ steps.node-modules.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Cache for generated files | |
| id: generated-files-cache | |
| continue-on-error: true | |
| uses: ./.github/actions/cache | |
| with: | |
| path: generated_files.tar.gz | |
| key: ${{ needs.prepare.outputs.generated-files-cache-key }} | |
| - name: Check generated-files cache success | |
| run: '[[ "${{ steps.generated-files-cache.outputs.success }}" != "false" ]] || exit 1' | |
| - name: Untar generated files | |
| run: tar zxvf generated_files.tar.gz | |
| - name: Building | |
| run: ./scripts/ci/run-in-parallel-native.sh build | |
| success: | |
| runs-on: ec2-runners | |
| container: | |
| image: public.ecr.aws/m3u4c4h9/island-is/actions-runner-public:latest | |
| if: always() | |
| needs: | |
| - prepare | |
| - linting-workspace | |
| - tests | |
| - linting | |
| - run-shellcheck | |
| - formatting | |
| - e2e | |
| - build | |
| steps: | |
| - name: Check prepare success | |
| run: '[[ ${{ needs.prepare.result }} == "success" ]] || exit 1' | |
| - name: Check tests success | |
| run: '[[ ${{ needs.tests.result }} != "failure" ]] || exit 1' | |
| - name: Check e2e success | |
| run: '[[ ${{ needs.e2e.result }} != "failure" ]] || exit 1' | |
| - name: Check linting success | |
| run: '[[ ${{ needs.linting.result }} != "failure" ]] || exit 1' | |
| - name: Check run-shellcheck success | |
| run: '[[ ${{ needs.run-shellcheck.result }} != "failure" ]] || exit 1' | |
| - name: Check formatting success | |
| run: '[[ ${{ needs.formatting.result }} != "failure" ]] || exit 1' | |
| - name: Check build success | |
| run: '[[ ${{ needs.build.result }} != "failure" ]] || exit 1' | |
| - name: Announce success | |
| run: echo "Build is successful" |