mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-13 02:55:56 -04:00
6b2a955a15
Resolves all 30 zizmor alerts reported on main after #11607: - template-injection (19): move `${{ ... }}` interpolations in `run:` blocks to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name, github.actor) can't break out of shell quoting. - artipacked (8): add `persist-credentials: false` to `actions/checkout` in audit, benchmark, ci, codeql-analysis, docker, release, test workflows. `update-lockfile.yml` keeps the persisted token (later step pushes to a branch) with a `zizmor: ignore[artipacked]` comment and justification. - dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially malicious) Actions releases don't get auto-PR'd day-of-release. - ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at the `v2` tag, not a non-existent `v2.0.0`. Fix the comment. - superfluous-actions (1): mark `softprops/action-gh-release` with a `zizmor: ignore` and justification — the release pipeline is sensitive and the action is battle-tested; we're not swapping it for `gh release` here. Verified locally with `zizmor --persona regular .github` (online audits on): No findings to report. Good job! (2 ignored, 32 suppressed) --- Written by an agent (Claude Code, claude-opus-4-7).
86 lines
2.7 KiB
YAML
86 lines
2.7 KiB
YAML
name: Test (reusable)
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
node:
|
|
required: true
|
|
type: string
|
|
platform:
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
test:
|
|
name: Test
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-${{ inputs.platform }}-${{ inputs.node }}
|
|
cancel-in-progress: true
|
|
|
|
runs-on: ${{ inputs.platform }}
|
|
|
|
steps:
|
|
- name: Configure Git
|
|
run: |
|
|
git config --global core.autocrlf false
|
|
git config --global user.name "xyz"
|
|
git config --global user.email "x@y.z"
|
|
- name: Checkout Commit
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Install pnpm and Node
|
|
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
|
|
with:
|
|
runtime: node@${{ inputs.node }}
|
|
- name: Verify Node version
|
|
shell: bash
|
|
env:
|
|
NODE_VERSION: ${{ inputs.node }}
|
|
run: |
|
|
actual=$(pn node -v)
|
|
expected="v${NODE_VERSION}"
|
|
if [ "$actual" != "$expected" ]; then
|
|
echo "Expected Node version $expected but got $actual"
|
|
exit 1
|
|
fi
|
|
# npm is needed for preparing git-hosted dependencies (e.g. in dlx tests).
|
|
# `pnpm runtime set node` does not extract npm; the runner image's
|
|
# pre-installed Node toolchain provides it on PATH.
|
|
- name: Verify npm
|
|
run: npm --version
|
|
- name: Download compiled artifacts
|
|
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
|
|
with:
|
|
name: compiled-packages
|
|
- name: Extract compiled artifacts
|
|
run: tar -xzf compiled.tar.gz
|
|
- name: Determine test scope
|
|
id: test-scope
|
|
shell: bash
|
|
env:
|
|
REF_NAME: ${{ github.ref_name }}
|
|
run: |
|
|
if [[ "$REF_NAME" == "main" || "$REF_NAME" == "chore/update-lockfile" || "$REF_NAME" == release/* ]]; then
|
|
echo "script=ci:test-all" >> "$GITHUB_OUTPUT"
|
|
echo "scope=all" >> "$GITHUB_OUTPUT"
|
|
else
|
|
git remote set-branches --add origin main && git fetch origin main --depth=1
|
|
if [ -n "$(git diff --name-only origin/main HEAD -- pnpm-workspace.yaml)" ]; then
|
|
echo "script=ci:test-all" >> "$GITHUB_OUTPUT"
|
|
echo "scope=all — pnpm-workspace.yaml modified" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "script=ci:test-branch" >> "$GITHUB_OUTPUT"
|
|
echo "scope=affected packages" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
fi
|
|
- name: Run tests (${{ steps.test-scope.outputs.scope }})
|
|
timeout-minutes: 70
|
|
env:
|
|
PNPM_WORKERS: 3
|
|
TEST_SCRIPT: ${{ steps.test-scope.outputs.script }}
|
|
run: pn run "$TEST_SCRIPT"
|