Skip to content

Bump brakeman from 6.2.2 to 7.0.0 #5803

Bump brakeman from 6.2.2 to 7.0.0

Bump brakeman from 6.2.2 to 7.0.0 #5803

Workflow file for this run

name: CI
on:
- push
jobs:
test:
runs-on: ubuntu-latest
services:
db:
image: postgres:16
env:
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: Install packages
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libjemalloc2 libvips postgresql-client
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Enable Corepack
run: corepack enable
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
- name: Manage yarn, webpack and assets cache
uses: actions/cache@v4
# use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
id: yarn-cache
with:
path: |
${{ steps.yarn-cache-dir-path.outputs.dir }}
public/assets
public/packs-test
tmp/cache
tmp/shakapacker
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-
- name: Install yarn packages
run: yarn install --immutable
- name: Prepare config files
run: |
cp config/action_mailer.yml.ci config/action_mailer.yml
cp config/code_ocean.yml.ci config/code_ocean.yml
cp config/database.yml.ci config/database.yml
cp config/docker.yml.erb.ci config/docker.yml.erb
cp config/mnemosyne.yml.ci config/mnemosyne.yml
cp config/content_security_policy.yml.ci config/content_security_policy.yml
- name: Prepare database
env:
RAILS_ENV: test
run: bundler exec rake db:prepare
- name: Precompile assets
env:
RAILS_ENV: test
run: bundler exec rake assets:precompile
- name: Run tests
env:
RAILS_ENV: test
CC_TEST_REPORTER_ID: true
run: bundle exec rspec --color --format RSpec::Github::Formatter --format progress
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v5
if: ${{ success() || failure() }}
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Keep screenshots from failed system specs
uses: actions/upload-artifact@v4
if: failure()
with:
name: screenshots
path: ${{ github.workspace }}/tmp/screenshots
if-no-files-found: ignore
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Run rubocop
uses: reviewdog/action-rubocop@v2
with:
filter_mode: nofilter
rubocop_version: gemfile
rubocop_extensions: rubocop-rails:gemfile rubocop-rspec:gemfile rubocop-performance:gemfile
rubocop_flags: --parallel
reporter: github-check
skip_install: true
use_bundler: true
fail_level: any
slim-lint:
permissions:
# Required: Allow read access to the content for analysis.
contents: read
# Required: Allow write access to checks to allow the action to annotate code in the PR.
checks: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Run slim-lint
run: bundle exec slim-lint app/views --reporter checkstyle > checkstyle-result.xml
- name: Upload slim-lint results as GitHub annotations
uses: lcollins/[email protected]
# Only create GitHub annotations for the main repo (disable for forks):
if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository }}
with:
name: Slim-Lint Report
title: Analyze Slim templates for linting issues
path: checkstyle-result.xml
scan_ruby:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Scan for common Rails security vulnerabilities using static analysis
uses: reviewdog/action-brakeman@v2
with:
filter_mode: nofilter
reporter: github-check
skip_install: true
use_bundler: true
fail_level: any