forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
156 lines (154 loc) · 5.6 KB
/
build-test-javascript.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# AUTOGENERATED FROM build-test-javascript.jsonnet DO NOT MODIFY
jobs:
build:
container: returntocorp/ocaml:alpine-2024-01-18
env:
HOME: /root
runs-on: ubuntu-latest-16-core
steps:
- name: Make checkout speedy
run: git config --global fetch.parallel 50
- uses: actions/checkout@v3
with:
submodules: true
- name: Configure git safedir properly
run: git config --global --add safe.directory $(pwd)
- name: Set up tree-sitter
run: (cd libs/ocaml-tree-sitter-core && ./configure && ./scripts/install-tree-sitter-lib)
- id: cache-git
name: Cache git checkout
uses: actions/cache/save@v3
with:
key: semgrep-with-submodules-and-tree-sitter-${{ github.sha }}
path: .
- name: Build semgrep
run: |
eval $(opam env)
make install-deps-ALPINE-for-semgrep-core
make install-deps-for-semgrep-core
make build-semgrep-jsoo
- uses: actions/upload-artifact@v3
with:
name: semgrep-js-ocaml-build-${{ github.sha }}
path: |
_build/default/js/**/*.bc.js
retention-days: 1
test:
container: emscripten/emsdk:3.1.51
env:
HOME: /root
needs:
- build
runs-on: ubuntu-latest-16-core
steps:
- id: restore-git
name: Restore git checkout cache
uses: actions/cache/restore@v3
with:
key: semgrep-with-submodules-and-tree-sitter-${{ github.sha }}
path: .
- if: ${{ steps.restore-git.outputs.cache-hit != 'true' }}
name: Make checkout speedy
run: git config --global fetch.parallel 50
- name: Configure git safedir properly
run: git config --global --add safe.directory $(pwd)
- if: ${{ steps.restore-git.outputs.cache-hit != 'true' }}
uses: actions/checkout@v3
with:
submodules: true
- if: ${{ steps.restore-git.outputs.cache-hit != 'true' }}
name: Set up tree-sitter
run: (cd libs/ocaml-tree-sitter-core && ./configure && ./scripts/install-tree-sitter-lib)
- uses: actions/download-artifact@v3
with:
name: semgrep-js-ocaml-build-${{ github.sha }}
path: _build/default/js
- uses: actions/setup-node@v3
with:
node-version: "18"
- name: Build JS artifacts
run: make -C js -j $(nproc) build
- name: Test JS artifacts
run: |
# Allow 'git rev-parse --show-toplevel' even though the owner of the
# semgrep folder is different than the owner of its contents.
# Needed by OCaml test code to determine the project root.
git config --global --add safe.directory /__w/semgrep/semgrep
make -C js -j $(nproc) test
- name: Setup APT for xvfb
run: |
sudo apt-get update
sudo apt-get install -y libatk-bridge2.0-0 libgtk-3-0 libgbm1
- name: Test LSP.js
uses: coactions/setup-xvfb@v1
with:
run: make -C js/language_server test
- name: Package JS artifacts
run: |
tar cvzf semgrep-js-artifacts.tar.gz \
js/engine/dist/index.cjs \
js/engine/dist/index.mjs \
js/languages/*/dist/index.cjs \
js/languages/*/dist/index.mjs \
js/languages/*/dist/semgrep-parser.wasm \
js/language_server/dist/*
- name: Upload JS artifacts
uses: actions/upload-artifact@v3
with:
name: semgrep-js-artifacts-${{ github.sha }}
path: semgrep-js-artifacts.tar.gz
retention-days: 2
upload:
if: ${{ inputs.upload-artifacts }}
needs:
- test
permissions:
contents: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials for semgrep-oss-js-artifacts-deploy-role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-west-2
role-duration-seconds: 900
role-session-name: semgrep-s3-access
role-to-assume: arn:aws:iam::338683922796:role/semgrep-oss-js-artifacts-deploy-role
- uses: actions/download-artifact@v3
with:
name: semgrep-js-artifacts-${{ github.sha }}
path: /tmp/semgrep
- name: Upload to S3
run: |
cd /tmp/semgrep
tar xvzf semgrep-js-artifacts.tar.gz
branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
urlencoded_branch_name=$(printf %s $branch_name | jq -sRr @uri)
cache_control=""
if [[ "${branch_name}" =~ "^release-[0-9.]+$" ]]; then
# If this is a release:
# - public: The response can be stored in a shared cache
# - max-age=31536000: Cache for up to 1 year
# - immutable: The response will not be updated while fresh
cache_control="public,max-age=31536000,immutable"
else
# Otherwise:
# - public: This response can be stored in a shared cache
# - max-age=300: Cache for up to 5 mins
cache_control="public,max-age=300"
fi
aws s3 cp --recursive --cache-control "${cache_control}" /tmp/semgrep/js/ "s3://semgrep-app-static-assets/static/turbo/${urlencoded_branch_name}/"
name: build-test-javascript
on:
workflow_call:
inputs:
upload-artifacts:
default: false
description: Whether or not to upload JS artifacts to S3
type: boolean
workflow_dispatch:
inputs:
upload-artifacts:
default: false
description: Whether or not to upload JS artifacts to S3
type: boolean