Bump brakeman from 6.2.2 to 7.0.0 #5803
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
- push | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
services: | |
db: | |
image: postgres:16 | |
env: | |
POSTGRES_PASSWORD: postgres | |
ports: | |
- 5432:5432 | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
steps: | |
- name: Install packages | |
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libjemalloc2 libvips postgresql-client | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- name: Enable Corepack | |
run: corepack enable | |
- name: Get yarn cache directory path | |
id: yarn-cache-dir-path | |
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT | |
- name: Manage yarn, webpack and assets cache | |
uses: actions/cache@v4 | |
# use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`) | |
id: yarn-cache | |
with: | |
path: | | |
${{ steps.yarn-cache-dir-path.outputs.dir }} | |
public/assets | |
public/packs-test | |
tmp/cache | |
tmp/shakapacker | |
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-yarn- | |
- name: Install yarn packages | |
run: yarn install --immutable | |
- name: Prepare config files | |
run: | | |
cp config/action_mailer.yml.ci config/action_mailer.yml | |
cp config/code_ocean.yml.ci config/code_ocean.yml | |
cp config/database.yml.ci config/database.yml | |
cp config/docker.yml.erb.ci config/docker.yml.erb | |
cp config/mnemosyne.yml.ci config/mnemosyne.yml | |
cp config/content_security_policy.yml.ci config/content_security_policy.yml | |
- name: Prepare database | |
env: | |
RAILS_ENV: test | |
run: bundler exec rake db:prepare | |
- name: Precompile assets | |
env: | |
RAILS_ENV: test | |
run: bundler exec rake assets:precompile | |
- name: Run tests | |
env: | |
RAILS_ENV: test | |
CC_TEST_REPORTER_ID: true | |
run: bundle exec rspec --color --format RSpec::Github::Formatter --format progress | |
- name: Upload coverage reports to Codecov | |
uses: codecov/codecov-action@v5 | |
if: ${{ success() || failure() }} | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- name: Keep screenshots from failed system specs | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: screenshots | |
path: ${{ github.workspace }}/tmp/screenshots | |
if-no-files-found: ignore | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Run rubocop | |
uses: reviewdog/action-rubocop@v2 | |
with: | |
filter_mode: nofilter | |
rubocop_version: gemfile | |
rubocop_extensions: rubocop-rails:gemfile rubocop-rspec:gemfile rubocop-performance:gemfile | |
rubocop_flags: --parallel | |
reporter: github-check | |
skip_install: true | |
use_bundler: true | |
fail_level: any | |
slim-lint: | |
permissions: | |
# Required: Allow read access to the content for analysis. | |
contents: read | |
# Required: Allow write access to checks to allow the action to annotate code in the PR. | |
checks: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Run slim-lint | |
run: bundle exec slim-lint app/views --reporter checkstyle > checkstyle-result.xml | |
- name: Upload slim-lint results as GitHub annotations | |
uses: lcollins/[email protected] | |
# Only create GitHub annotations for the main repo (disable for forks): | |
if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository }} | |
with: | |
name: Slim-Lint Report | |
title: Analyze Slim templates for linting issues | |
path: checkstyle-result.xml | |
scan_ruby: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Scan for common Rails security vulnerabilities using static analysis | |
uses: reviewdog/action-brakeman@v2 | |
with: | |
filter_mode: nofilter | |
reporter: github-check | |
skip_install: true | |
use_bundler: true | |
fail_level: any |