From 82345ff1db90a1db694af4167706b064b7ef268a Mon Sep 17 00:00:00 2001 From: leafkevin Date: Sat, 10 May 2025 18:34:23 +0800 Subject: [PATCH] update --- .github/dependabot.yml | 20 ++ .github/workflows/check-dist.yml | 51 +++ .github/workflows/codeql-analysis.yml | 58 +++ .github/workflows/licensed.yml | 14 + .../workflows/publish-immutable-actions.yml | 20 ++ .github/workflows/test.yml | 331 ++++++++++++++++++ .github/workflows/update-main-version.yml | 35 ++ .github/workflows/update-test-ubuntu-git.yml | 59 ++++ 8 files changed, 588 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/check-dist.yml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/licensed.yml create mode 100644 .github/workflows/publish-immutable-actions.yml create mode 100644 .github/workflows/test.yml create mode 100644 .github/workflows/update-main-version.yml create mode 100644 .github/workflows/update-test-ubuntu-git.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4f6427b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +--- +version: 2 + +updates: +- package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + groups: + minor-npm-dependencies: + # NPM: Only group minor and patch updates (we want to carefully review major updates) + update-types: [minor, patch] +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + groups: + minor-actions-dependencies: + # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates) + update-types: [minor, patch] diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml new file mode 100644 index 0000000..53902ee --- /dev/null +++ b/.github/workflows/check-dist.yml @@ -0,0 +1,51 @@ +# `dist/index.js` is a special file in Actions. +# When you reference an action with `uses:` in a workflow, +# `index.js` is the code that will run. +# For our project, we generate this file through a build process +# from other source files. +# We need to make sure the checked-in `index.js` actually matches what we expect it to be. +name: Check dist + +on: + push: + branches: + - main + paths-ignore: + - '**.md' + pull_request: + paths-ignore: + - '**.md' + workflow_dispatch: + +jobs: + check-dist: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4.1.6 + + - name: Set Node.js 20.x + uses: actions/setup-node@v4 + with: + node-version: 20.x + + - name: Install dependencies + run: npm ci + + - name: Rebuild the index.js file + run: npm run build + + - name: Compare the expected and actual dist/ directories + run: | + if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then + echo "Detected uncommitted changes after build. See status below:" + git diff + exit 1 + fi + + # If dist/ was different than expected, upload the expected version as an artifact + - uses: actions/upload-artifact@v4 + if: ${{ failure() && steps.diff.conclusion == 'failure' }} + with: + name: dist + path: dist/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..778d474 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,58 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + schedule: + - cron: '28 9 * * 0' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v4.1.6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + - run: npm ci + - run: npm run build + - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files) + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml new file mode 100644 index 0000000..1f71aa7 --- /dev/null +++ b/.github/workflows/licensed.yml @@ -0,0 +1,14 @@ +name: Licensed + +on: + push: {branches: main} + pull_request: {branches: main} + +jobs: + test: + runs-on: ubuntu-latest + name: Check licenses + steps: + - uses: actions/checkout@v4.1.6 + - run: npm ci + - run: npm run licensed-check \ No newline at end of file diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml new file mode 100644 index 0000000..87c0207 --- /dev/null +++ b/.github/workflows/publish-immutable-actions.yml @@ -0,0 +1,20 @@ +name: 'Publish Immutable Action Version' + +on: + release: + types: [published] + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + + steps: + - name: Checking out + uses: actions/checkout@v4 + - name: Publish + id: publish + uses: actions/publish-immutable-action@0.0.3 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..cde9f06 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,331 @@ +name: Build and Test + +on: + pull_request: + push: + branches: + - main + - releases/* + + +# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow, +# these refer to "test-data" branches on this actions/checkout repo. +# (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic) + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-node@v4 + with: + node-version: 20.x + - uses: actions/checkout@v4.1.6 + - run: npm ci + - run: npm run build + - run: npm run format-check + - run: npm run lint + - run: npm test + - name: Verify no unstaged changes + run: __test__/verify-no-unstaged-changes.sh + + test: + strategy: + matrix: + runs-on: [ubuntu-latest, macos-latest, windows-latest] + runs-on: ${{ matrix.runs-on }} + + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v4.1.6 + + # Basic checkout + - name: Checkout basic + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + shell: bash + run: __test__/verify-basic.sh + + # Clean + - name: Modify work tree + shell: bash + run: __test__/modify-work-tree.sh + - name: Checkout clean + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify clean + shell: bash + run: __test__/verify-clean.sh + + # Side by side + - name: Checkout side by side 1 + uses: ./ + with: + ref: test-data/v2/side-by-side-1 + path: side-by-side-1 + - name: Checkout side by side 2 + uses: ./ + with: + ref: test-data/v2/side-by-side-2 + path: side-by-side-2 + - name: Verify side by side + shell: bash + run: __test__/verify-side-by-side.sh + + # Filter + - name: Fetch filter + uses: ./ + with: + filter: 'blob:none' + path: fetch-filter + + - name: Verify fetch filter + run: __test__/verify-fetch-filter.sh + + # Sparse checkout + - name: Sparse checkout + uses: ./ + with: + sparse-checkout: | + __test__ + .github + dist + path: sparse-checkout + + - name: Verify sparse checkout + run: __test__/verify-sparse-checkout.sh + + # Disabled sparse checkout in existing checkout + - name: Disabled sparse checkout + uses: ./ + with: + path: sparse-checkout + + - name: Verify disabled sparse checkout + shell: bash + run: set -x && ls -l sparse-checkout/src/git-command-manager.ts + + # Sparse checkout (non-cone mode) + - name: Sparse checkout (non-cone mode) + uses: ./ + with: + sparse-checkout: | + /__test__/ + /.github/ + /dist/ + sparse-checkout-cone-mode: false + path: sparse-checkout-non-cone-mode + + - name: Verify sparse checkout (non-cone mode) + run: __test__/verify-sparse-checkout-non-cone-mode.sh + + # LFS + - name: Checkout LFS + uses: ./ + with: + repository: actions/checkout # hardcoded, otherwise doesn't work from a fork + ref: test-data/v2/lfs + path: lfs + lfs: true + - name: Verify LFS + shell: bash + run: __test__/verify-lfs.sh + + # Submodules false + - name: Checkout submodules false + uses: ./ + with: + ref: test-data/v2/submodule-ssh-url + path: submodules-false + - name: Verify submodules false + run: __test__/verify-submodules-false.sh + + # Submodules one level + - name: Checkout submodules true + uses: ./ + with: + ref: test-data/v2/submodule-ssh-url + path: submodules-true + submodules: true + - name: Verify submodules true + run: __test__/verify-submodules-true.sh + + # Submodules recursive + - name: Checkout submodules recursive + uses: ./ + with: + ref: test-data/v2/submodule-ssh-url + path: submodules-recursive + submodules: recursive + - name: Verify submodules recursive + run: __test__/verify-submodules-recursive.sh + + # Basic checkout using REST API + - name: Remove basic + if: runner.os != 'windows' + run: rm -rf basic + - name: Remove basic (Windows) + if: runner.os == 'windows' + shell: cmd + run: rmdir /s /q basic + - name: Override git version + if: runner.os != 'windows' + run: __test__/override-git-version.sh + - name: Override git version (Windows) + if: runner.os == 'windows' + run: __test__\\override-git-version.cmd + - name: Checkout basic using REST API + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + run: __test__/verify-basic.sh --archive + + test-proxy: + runs-on: ubuntu-latest + container: + image: ghcr.io/actions/test-ubuntu-git:main.20240221.114913.703z + options: --dns 127.0.0.1 + services: + squid-proxy: + image: ubuntu/squid:latest + ports: + - 3128:3128 + env: + https_proxy: http://squid-proxy:3128 + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v4.1.6 + + # Basic checkout using git + - name: Checkout basic + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + run: __test__/verify-basic.sh + + # Basic checkout using REST API + - name: Remove basic + run: rm -rf basic + - name: Override git version + run: __test__/override-git-version.sh + - name: Basic checkout using REST API + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + run: __test__/verify-basic.sh --archive + + test-bypass-proxy: + runs-on: ubuntu-latest + env: + https_proxy: http://no-such-proxy:3128 + no_proxy: api.github.com,github.com + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v4.1.6 + + # Basic checkout using git + - name: Checkout basic + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + run: __test__/verify-basic.sh + - name: Remove basic + run: rm -rf basic + + # Basic checkout using REST API + - name: Override git version + run: __test__/override-git-version.sh + - name: Checkout basic using REST API + uses: ./ + with: + ref: test-data/v2/basic + path: basic + - name: Verify basic + run: __test__/verify-basic.sh --archive + + test-git-container: + runs-on: ubuntu-latest + container: bitnami/git:latest + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v4.1.6 + with: + path: localClone + + # Basic checkout using git + - name: Checkout basic + uses: ./localClone + with: + ref: test-data/v2/basic + - name: Verify basic + run: | + if [ ! -f "./basic-file.txt" ]; then + echo "Expected basic file does not exist" + exit 1 + fi + + # Verify .git folder + if [ ! -d "./.git" ]; then + echo "Expected ./.git folder to exist" + exit 1 + fi + + # Verify auth token + git config --global --add safe.directory "*" + git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main + + # needed to make checkout post cleanup succeed + - name: Fix Checkout v4 + uses: actions/checkout@v4.1.6 + with: + path: localClone + + test-output: + runs-on: ubuntu-latest + steps: + # Clone this repo + - name: Checkout + uses: actions/checkout@v4.1.6 + + # Basic checkout using git + - name: Checkout basic + id: checkout + uses: ./ + with: + ref: test-data/v2/basic + + # Verify output + - name: Verify output + run: | + echo "Commit: ${{ steps.checkout.outputs.commit }}" + echo "Ref: ${{ steps.checkout.outputs.ref }}" + + if [ "${{ steps.checkout.outputs.ref }}" != "test-data/v2/basic" ]; then + echo "Expected ref to be test-data/v2/basic" + exit 1 + fi + + if [ "${{ steps.checkout.outputs.commit }}" != "82f71901cf8c021332310dcc8cdba84c4193ff5d" ]; then + echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d" + exit 1 + fi + + # needed to make checkout post cleanup succeed + - name: Fix Checkout + uses: actions/checkout@v4.1.6 diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml new file mode 100644 index 0000000..7bec7d5 --- /dev/null +++ b/.github/workflows/update-main-version.yml @@ -0,0 +1,35 @@ +name: Update Main Version +run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }} + +on: + workflow_dispatch: + inputs: + target: + description: The tag or reference to use + required: true + major_version: + type: choice + description: The major version to update + options: + - v4 + - v3 + - v2 + +jobs: + tag: + runs-on: ubuntu-latest + steps: + # Note this update workflow can also be used as a rollback tool. + # For that reason, it's best to pin `actions/checkout` to a known, stable version + # (typically, about two releases back). + - uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + - name: Git config + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + - name: Tag new target + run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }} + - name: Push new tag + run: git push origin ${{ github.event.inputs.major_version }} --force diff --git a/.github/workflows/update-test-ubuntu-git.yml b/.github/workflows/update-test-ubuntu-git.yml new file mode 100644 index 0000000..5c252b9 --- /dev/null +++ b/.github/workflows/update-test-ubuntu-git.yml @@ -0,0 +1,59 @@ +name: Publish test-ubuntu-git Container + +on: + # Use an on demand workflow trigger. + # (Forked copies of actions/checkout won't have permission to update GHCR.io/actions, + # so avoid trigger events that run automatically.) + workflow_dispatch: + inputs: + publish: + description: 'Publish to ghcr.io? (main branch only)' + type: boolean + required: true + default: false + +env: + REGISTRY: ghcr.io + IMAGE_NAME: actions/test-ubuntu-git + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Use `docker/login-action` to log in to GHCR.io. + # Once published, the packages are scoped to the account defined here. + - name: Log in to the ghcr.io container registry + uses: docker/login-action@v3.3.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Format Timestamp + id: timestamp + # Use `date` with a custom format to achieve the key=value format GITHUB_OUTPUT expects. + run: date -u "+now=%Y%m%d.%H%M%S.%3NZ" >> "$GITHUB_OUTPUT" + + - name: Issue Image Publish Warning + if: ${{ inputs.publish && github.ref_name != 'main' }} + run: echo "::warning::test-ubuntu-git images can only be published from the actions/checkout 'main' branch. Workflow will continue with push/publish disabled." + + # Use `docker/build-push-action` to build (and optionally publish) the image. + - name: Build Docker Image (with optional Push) + uses: docker/build-push-action@v6.5.0 + with: + context: . + file: images/test-ubuntu-git.Dockerfile + # For now, attempts to push to ghcr.io must target the `main` branch. + # In the future, consider also allowing attempts from `releases/*` branches. + push: ${{ inputs.publish && github.ref_name == 'main' }} + tags: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}.${{ steps.timestamp.outputs.now }}