standardised workflows (#1400)

* standardised workflows * package-lock.json updates for build errors
MetaMask · Jul 15, 2024 · 0040a5b · 0040a5b
1 parent 945203e
commit 0040a5b
Show file tree

Hide file tree

Showing 8 changed files with 166 additions and 50 deletions.
diff --git a/.github/workflows/build-lint.yml → .github/workflows/build.yml b/.github/workflows/build-lint.yml → .github/workflows/build.yml
@@ -1,4 +1,5 @@
-name: Build and lint
+---
+name: Build
 
 on:
   workflow_call:
@@ -12,31 +13,17 @@ env:
   SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }}
   LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
 
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs:
-      - prepare
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Build
         uses: ConsenSys/docs-gha/build@main
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Lint
-        uses: ConsenSys/docs-gha/lint@main
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
diff --git a/.github/workflows/case.yml b/.github/workflows/case.yml
@@ -0,0 +1,34 @@
+---
+name: Check file name case
+
+on:
+  workflow_call:
+  secrets:
+    SEGMENT_ANALYTICS_KEY:
+      required: true
+    LD_CLIENT_ID:
+      required: true
+
+env:
+  SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }}
+  LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
+
+
+jobs:
+  case:
+    name: Check for case being inconsistent
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: ["docs"]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Case check action
+        uses: ConsenSys/docs-gha/case@main
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOC_DIR: ${{ matrix.folder }}
+          SKIP_TEST: true
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -0,0 +1,11 @@
+name: 'Dependency Review'
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    assignees:
+      - "protocol-galileo"      
diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
@@ -0,0 +1,24 @@
+---
+name: Check file name case
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  case:
+    name: Check for licences not being allowed
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: ["docs"]
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Dependency review
+        uses: ConsenSys/docs-gha/dependency-review@main
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,42 @@
+---
+name: Check for lint, spelling and link errors
+
+on:
+  workflow_call:
+  secrets:
+    SEGMENT_ANALYTICS_KEY:
+      required: true
+    LD_CLIENT_ID:
+      required: true
+
+env:
+  SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_KEY }}
+  LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
+
+
+jobs:
+  lint:
+    name: Lint Code Base, Spelling, Link Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Lint
+        uses: ConsenSys/docs-gha/lint@main
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  linkCheck:
+    name: Link Checking
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        file-extensions: [".md", ".mdx"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: LinkCheck
+        uses: ConsenSys/docs-gha/linkcheck@main
+        with:
+          FILE_EXTENSION: ${{ matrix.file-extensions }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -10,7 +10,7 @@ jobs:
     name: Check workflows
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download actionlint
         id: download-actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.22
@@ -19,19 +19,36 @@ jobs:
         run: ${{ steps.download-actionlint.outputs.executable }} -color
         shell: bash
 
-  build-lint:
-    name: Build and lint
-    uses: ./.github/workflows/build-lint.yml
+  build:
+    name: Build
+    uses: ./.github/workflows/build.yml
     secrets:
       SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }}
       LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
 
+  lint:
+    name: Lint
+    uses: ./.github/workflows/lint.yml
+    secrets:
+      SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }}
+      LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
+
+  case:
+    name: Case
+    uses: ./.github/workflows/case.yml
+    secrets:
+      SEGMENT_ANALYTICS_KEY: ${{ secrets.SEGMENT_ANALYTICS_DEV_KEY }}
+      LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
+
+
   all-jobs-completed:
     name: All jobs completed
     runs-on: ubuntu-latest
     needs:
       - check-workflows
-      - build-lint
+      - build
+      - lint
+      - case
     outputs:
       PASSED: ${{ steps.set-output.outputs.PASSED }}
     steps:

diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml
@@ -2,9 +2,11 @@ name: 'MetaMask Security Code Scanner'
 
 on:
   push:
-    branches: ['main']
+    branches:
+      - 'main'
   pull_request:
-    branches: ['main']
+    branches:
+      - 'main'
 
 jobs:
   run-security-scan:
@@ -14,30 +16,11 @@ jobs:
       contents: read
       security-events: write
     steps:
+      - uses: actions/checkout@v4
       - name: MetaMask Security Code Scanner
-        uses: MetaMask/Security-Code-Scanner@main
+        uses: ConsenSys/docs-gha/mm-security-scanner@main
         with:
           repo: ${{ github.repository }}
-          paths_ignored: |
-            .storybook/
-            '**/__snapshots__/'
-            '**/*.snap'
-            '**/*.stories.js'
-            '**/*.stories.tsx'
-            '**/*.test.browser.ts*'
-            '**/*.test.js*'
-            '**/*.test.ts*'
-            '**/fixtures/'
-            '**/jest.config.js'
-            '**/jest.environment.js'
-            '**/mocks/'
-            '**/test*/'
-            docs/
-            e2e/
-            merged-packages/
-            node_modules
-            storybook/
-            test*/
-          rules_excluded: example
-          project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
-          slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+          APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,18 @@
+---
+name: Trivy
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  trivy:
+    name: Run trivy scanner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Trivy
+        uses: ConsenSys/docs-gha/trivy@main
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}