refactor(ci): fix fetch-depth and add some caching (#5563)

* refactor: rename ci -> build.yaml * feat: add build.yaml * feat: add node caching to platform jobs * trigger ci
2022-09-19 09:56:34 -07:00 · 2022-09-19 09:56:34 -07:00 · 4223cf6e2b
commit 4223cf6e2b
parent 987c68a32a
4 changed files with 44 additions and 32 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -18,7 +18,7 @@ concurrency:
 # Note: if: success() is used in several jobs -
 # this ensures that it only executes if all previous jobs succeeded.

-# if: steps.cache-yarn.outputs.cache-hit != 'true'
+# if: steps.cache-node-modules.outputs.cache-hit != 'true'
 # will skip running `yarn install` if it successfully fetched from cache

 jobs:
@ -29,9 +29,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -40,9 +37,14 @@ jobs:

      - name: Install helm
        uses: azure/setup-helm@v3.3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install helm kubeval plugin
+        run: helm plugin install https://github.com/instrumenta/helm-kubeval

      - name: Fetch dependencies from cache
-        id: cache-yarn
+        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
@ -51,8 +53,8 @@ jobs:
            yarn-build-

      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
-        run: yarn --frozen-lockfile
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile

      - name: Run yarn fmt
        run: yarn fmt
@ -73,11 +75,13 @@ jobs:
      - name: Checkout repo
        uses: actions/checkout@v3
        with:
-          fetch-depth: 0
          submodules: true

      - name: Install quilt
-        run: sudo apt update && sudo apt install quilt
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: quilt
+          version: 1.0

      - name: Patch Code
        run: quilt push -a
@ -88,7 +92,7 @@ jobs:
          node-version: "16"

      - name: Fetch dependencies from cache
-        id: cache-yarn
+        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
@ -97,7 +101,7 @@ jobs:
            yarn-build-

      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: yarn --frozen-lockfile

      - name: Build code-server
@ -171,8 +175,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Download artifact
        uses: actions/download-artifact@v3
@ -224,8 +226,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -262,8 +262,18 @@ jobs:
      - name: Build standalone release
        run: source scl_source enable devtoolset-9 && yarn release:standalone

+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
      - name: Install test dependencies
-        run: SKIP_SUBMODULE_DEPS=1 yarn install
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile

      - name: Run integration tests on standalone release
        run: yarn test:integration
@ -320,8 +330,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -373,8 +381,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -398,7 +404,17 @@ jobs:
      - name: Build standalone release
        run: yarn release:standalone

+      - name: Fetch dependencies from cache
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: yarn-build-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            yarn-build-
+
      - name: Install test dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn install

      - name: Run integration tests on standalone release
@ -425,8 +441,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -434,7 +448,7 @@ jobs:
          node-version: "16"

      - name: Fetch dependencies from cache
-        id: cache-yarn
+        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
@ -455,7 +469,7 @@ jobs:
          mv code-server*-linux-amd64 code-server-linux-amd64

      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile

      - name: Install Playwright OS dependencies
@ -488,8 +502,6 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0

      - name: Install Node.js v16
        uses: actions/setup-node@v3
@ -497,7 +509,7 @@ jobs:
          node-version: "16"

      - name: Fetch dependencies from cache
-        id: cache-yarn
+        id: cache-node-modules
        uses: actions/cache@v3
        with:
          path: "**/node_modules"
@ -518,7 +530,7 @@ jobs:
          mv code-server*-linux-amd64 code-server-linux-amd64

      - name: Install dependencies
-        if: steps.cache-yarn.outputs.cache-hit != 'true'
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
        run: SKIP_SUBMODULE_DEPS=1 yarn --frozen-lockfile

      - name: Install Playwright OS dependencies
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -33,7 +33,7 @@ jobs:
        id: download
        with:
          branch: release/v${{ steps.version.outputs.version }}
-          workflow: ci.yaml
+          workflow: build.yaml
          workflow_conclusion: completed
          name: "npm-package"
          path: release-npm-package
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -26,7 +26,7 @@ jobs:
        id: download
        with:
          branch: ${{ github.ref }}
-          workflow: ci.yaml
+          workflow: build.yaml
          workflow_conclusion: completed
          check_artifacts: true
          name: release-packages
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@ -16,10 +16,10 @@ We use the following tools to help us stay on top of vulnerability mitigation.
  - [trivy](https://github.com/aquasecurity/trivy)
    - Comprehensive vulnerability scanner that runs on PRs into the default
      branch and scans both our container image and repository code (see
-      `trivy-scan-repo` and `trivy-scan-image` jobs in `ci.yaml`)
+      `trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
 - [`audit-ci`](https://github.com/IBM/audit-ci)
  - Audits npm and Yarn dependencies in CI (see `Audit for vulnerabilities` step
-    in `ci.yaml`) on PRs into the default branch and fails CI if moderate or
+    in `build.yaml`) on PRs into the default branch and fails CI if moderate or
    higher vulnerabilities (see the `audit.sh` script) are present.

 ## Supported Versions