ci: reduce the permissions for github actions jobs #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request_target: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
jobs: | |
tests: | |
name: Run tests | |
runs-on: ubuntu-latest | |
environment: staging | |
permissions: | |
checks: write | |
steps: | |
- name: "build: checkout the latest changes" | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: "build: setup the node runtime" | |
uses: actions/setup-node@v4 | |
with: | |
cache: npm | |
cache-dependency-path: package-lock.json | |
node-version-file: .nvmrc | |
- name: "build: install the required dependencies" | |
run: npm ci | |
- name: "unit(test): perform lints and formatting checks" | |
run: npm run lint | |
- name: "unit(test): perform check of typings" | |
run: npm run check | |
- name: "unit(test): perform unit test checks" | |
run: npm test | |
- name: "unit(test): upload coverage to CodeCov" | |
uses: codecov/[email protected] | |
with: | |
directory: ./coverage | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- name: "build: package code for distribution" | |
run: npm run build | |
- name: "pretest(inputs): save the push event trigger commit URL" | |
if: "contains(github.event_name, 'push')" | |
run: | | |
url=${{ github.event.head_commit.url }} | |
echo "EVENT_URL=$url" >> "$GITHUB_ENV" | |
- name: "pretest(inputs): save the pull request event trigger commit URL" | |
if: "contains(github.event_name, 'pull_request')" | |
run: | | |
url=${{ github.event.pull_request.html_url }} | |
echo "EVENT_URL=$url" >> "$GITHUB_ENV" | |
- name: "integration(wfb): send a payload to workflow builder via webhook trigger" | |
id: wfb | |
uses: ./ | |
with: | |
errors: true | |
webhook: ${{ secrets.SLACK_WEBHOOK_TRIGGER }} | |
webhook-type: webhook-trigger | |
payload: | | |
author: ${{ github.event.sender.login }} | |
channel_id: ${{ secrets.SLACK_CHANNEL_ID }} | |
event_url: ${{ env.EVENT_URL}} | |
repo_name: ${{ github.event.repository.full_name }} | |
status: ${{ job.status }} | |
- name: "integration(wfb): confirm a payload was sent" | |
run: test -n "${{ steps.wfb.outputs.time }}" | |
- name: "integration(botToken): post a message to channel" | |
id: message | |
uses: ./ | |
with: | |
errors: true | |
method: chat.postMessage | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ secrets.SLACK_CHANNEL_ID }} | |
text: ":checkered_flag: Action happens at <https://github.com/${{ github.repository }}>" | |
- name: "integration(method): confirm a message was posted" | |
run: test -n "${{ steps.message.outputs.ts }}" | |
- name: "integration(method): post a message with blocks" | |
id: blocks | |
uses: ./ | |
with: | |
errors: true | |
method: chat.postMessage | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ secrets.SLACK_CHANNEL_ID }} | |
text: ":eyes: Event received..." | |
attachments: | |
- color: "dbab09" | |
fields: | |
- title: "Status" | |
short: true | |
value: "Processing" | |
- name: "integration(method): confirm the blocks were posted" | |
run: test -n "${{ steps.blocks.outputs.ts }}" | |
- name: "integration(method): post a threaded message" | |
id: timer | |
uses: ./ | |
with: | |
errors: true | |
method: chat.postMessage | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ secrets.SLACK_CHANNEL_ID }} | |
text: "Started at `${{ steps.blocks.outputs.time }}`" | |
thread_ts: "${{ steps.blocks.outputs.ts }}" | |
- name: "integration(incoming): confirm the thread started" | |
run: test -n "${{ steps.timer.outputs.time }}" | |
- name: "integration(method): wait to mock event processing" | |
run: sleep 3 | |
- name: "integration(method): update the original message" | |
id: finished | |
uses: ./ | |
with: | |
errors: true | |
method: chat.update | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ secrets.SLACK_CHANNEL_ID }} | |
ts: "${{ steps.blocks.outputs.ts }}" | |
text: ":gear: Event processed!" | |
attachments: | |
- color: "28a745" | |
fields: | |
- title: "Status" | |
short: true | |
value: "Completed" | |
- name: "integration(method): post another threaded message" | |
id: done | |
uses: ./ | |
with: | |
errors: true | |
method: chat.postMessage | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ steps.blocks.outputs.channel_id }} | |
text: "Finished at `${{ steps.finished.outputs.time }}`" | |
thread_ts: "${{ steps.timer.outputs.thread_ts }}" | |
- name: "integration(method): post a file into a channel" | |
id: file | |
uses: ./ | |
with: | |
errors: true | |
method: files.uploadV2 | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel_id: ${{ secrets.SLACK_CHANNEL_ID }} | |
initial_comment: ":robot_face: The codes exists here" | |
file: .github/workflows/test.yml | |
filename: action.yml | |
- name: "integration(method): react to the completed update message" | |
uses: ./ | |
with: | |
errors: true | |
method: reactions.add | |
token: ${{ secrets.SLACK_BOT_TOKEN }} | |
payload: | | |
channel: ${{ secrets.SLACK_CHANNEL_ID }} | |
timestamp: ${{ steps.blocks.outputs.ts }} | |
name: "tada" | |
- name: "integration(method): confirm the thread ended" | |
run: test -n "${{ steps.done.outputs.time }}" | |
- name: "integration(incoming): post a message via incoming webhook" | |
id: incoming | |
uses: ./ | |
with: | |
errors: true | |
webhook: ${{ secrets.SLACK_INCOMING_WEBHOOK }} | |
webhook-type: incoming-webhook | |
payload: | | |
text: "Incoming webhook test for slack send" | |
blocks: | |
- type: section | |
text: | |
type: plain_text | |
text: ":link: A message was received via incoming webhook" | |
emoji: true | |
- name: "integration(incoming): confirm a webhook was posted" | |
run: test -n "${{ steps.incoming.outputs.time }}" | |
- name: "integration(incoming): reveal contents of the github payload" | |
run: echo $JSON | |
env: | |
JSON: ${{ toJSON(github) }} | |
- name: "integration(incoming): post a message via payload file" | |
id: payload_file | |
uses: ./ | |
with: | |
errors: true | |
payload-file-path: ./.github/resources/.slack/incoming-webhook.json | |
payload-templated: true | |
webhook: ${{ secrets.SLACK_INCOMING_WEBHOOK }} | |
webhook-type: incoming-webhook | |
env: | |
JOB_STATUS: ${{ job.status }} | |
ATTACHMENT_COLOR: ${{ (job.status == 'success' && 'good') || (job.status == 'failure' && 'danger') || 'warning' }} | |
- name: "integration(incoming): confirm a payload file was posted" | |
run: test -n "${{ steps.payload_file.outputs.time }}" | |
- name: "chore(health): check up on recent changes to the health score" | |
uses: slackapi/[email protected] | |
with: | |
codecov_token: ${{ secrets.CODECOV_API_TOKEN }} | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
extension: js | |
include: src |