Skip to content
CI/CD

Bump rollup-plugin-userscript from 0.3.5 to 0.3.7 #214

Sign in to view logs

Bump rollup-plugin-userscript from 0.3.5 to 0.3.7

Bump rollup-plugin-userscript from 0.3.5 to 0.3.7 #214

Workflow file for this run

.github/workflows/cicd.yml at 2f42e2c
name: CI/CD
on:
workflow_dispatch:
push:
branches:
- "**"
- "!dependabot/**"
pull_request:
branches:
- "**"
permissions:
contents: read
jobs:
changed-files:
name: Detect Changed Files
runs-on: ubuntu-latest
outputs:
run-ci: ${{ github.event_name == 'workflow_dispatch' || steps.ci-files-changed.outputs.paths_any_changed == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Maybe one day GitHub will handle this for us using path filters, but for now we need to skip all of the steps that would normally run for non-code changes ourselves.
# https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks
- name: CI Files Changed
id: ci-files-changed
uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
with:
files_yaml: |
paths:
- "**"
- "!*.md"
- "!.github/**"
- ".github/workflows/*.yml"
- "!.github/workflows/cd.yml"
ci:
name: CI
runs-on: ubuntu-22.04
needs: changed-files
if: ${{ needs.changed-files.outputs.run-ci == 'true' }}
strategy:
matrix:
docker-context: ["rootless", "default"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: ${{ matrix.docker-context != 'rootless' }}
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
coveralls.io:443
dl-cdn.alpinelinux.org:443
download.docker.com:443
get.docker.com:443
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
registry.npmjs.org:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Rootless Docker
if: ${{ matrix.docker-context == 'rootless' }}
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
- name: Validate Docker Compose Files
run: |
docker compose --file compose.yml config --quiet
docker compose --file compose.watch-build-server.yml config --quiet
- name: Docker Cache
id: docker-cache
uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0
with:
key: docker-${{ runner.os }}-${{ hashFiles('./images/node/Dockerfile') }}
- name: NPM Cache
id: npm-cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: "~/.npm"
key: npm-${{ runner.os }}-${{ hashFiles('./package-lock.json') }}
- name: Build and Verify
run: |
chmod +x "./npm" "./user-mirror"
./npm -- run clean-verify
- name: Upload Code Coverage
if: ${{ matrix.docker-context == 'rootless' }}
uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2.3.4
- name: Upload Artifacts
if: ${{ matrix.docker-context == 'rootless' }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: artifacts
path: build/release/
if-no-files-found: error
release-gate:
name: Release Gate
runs-on: ubuntu-latest
needs: ci
outputs:
verification: ${{ steps.verify.outputs.VERIFY_STATUS }}
if: ${{ github.ref == 'refs/heads/mainline' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: lts/*
- name: Download CI Artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: artifacts
path: artifacts
- name: Verify the CI Artifacts
id: verify
run: echo "VERIFY_STATUS=$(node scripts/verifyDeploy.js artifacts/script.user.js artifacts/script.meta.js >/dev/null 2>&1 && echo success || echo failure)" >> "$GITHUB_OUTPUT"
sign:
needs: release-gate
name: Sign
runs-on: ubuntu-22.04
environment: signature
if: ${{ needs.release-gate.outputs.verification == 'success' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
dl-cdn.alpinelinux.org:443
download.docker.com:443
get.docker.com:443
github.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Rootless Docker
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
- name: Docker Cache
id: docker-cache
uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0
with:
key: docker-${{ runner.os }}-${{ hashFiles('./images/node/Dockerfile') }}
- name: Download CI Artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: artifacts
path: build/release/
- name: Sign Artifacts
run: |
mkdir -p ~/.minisign
echo '${{ secrets.MINISIGN_PRIVATE_BASE64 }}' | base64 -d > ~/.minisign/minisign.key
chmod +x "./npm" "./user-mirror"
MINISIGN_KEY_PATH='~/.minisign/minisign.key' ./npm -- run sign
rm ~/.minisign/minisign.key
- name: Verify Signatures
run: |
chmod +x "./npm" "./user-mirror"
./npm -- run sign:verify
- name: Upload Signed Artifacts
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: signed-artifacts
path: build/release/
if-no-files-found: error
deploy:
needs: sign
name: Deploy
runs-on: ubuntu-latest
environment: elevated-workflow
permissions:
contents: write # Needed to create a release https://docs.github.com/en/rest/releases/releases#create-a-release
concurrency:
group: deployment
cancel-in-progress: true
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:22
uploads.github.com:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ssh-key: ${{ secrets.ELEVATED_WORKFLOW_DEPLOY_KEY }}
- name: Download Signed Artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: signed-artifacts
path: artifacts
- name: Extract artifact script version
run: echo "SCRIPT_VERSION=$(grep -oP '// @version \K(.+)' artifacts/script.meta.js)" >> $GITHUB_ENV
- name: Create Release Tag
run: |
git tag "release-$SCRIPT_VERSION";
git push origin tag "release-$SCRIPT_VERSION";
- name: Create release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
artifactErrorsFailBuild: true
artifacts: "artifacts/script.meta.js,artifacts/script.user.js,artifacts/script.user.js.minisig"
body: "Verify artifacts: `minisign -HV -P 'RWQzlcfYwjz4IPiyyUgFiCkqFuQoOfolfw4AWUwCSRBRYNDuaEqqa6h/' -m script.user.js` ([public key](https://raw.githubusercontent.com/AJGranowski/reddit-expanded-community-filter-userscript/mainline/minisign.pub))"
draft: false
generateReleaseNotes: true
makeLatest: true
name: Release ${{ env.SCRIPT_VERSION }}
tag: release-${{ env.SCRIPT_VERSION }}
updateOnlyUnreleased: true