diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 000000000..d82ee59c2 --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,21 @@ +name: audit + +on: + push: + branches: [main] + pull_request: {} + +jobs: + yarn-audit: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'yarn' + # Start lenient — high+critical only — so the check is not flooded + # by known low/moderate dependency findings on day one. Tighten the + # threshold (--level moderate, then --level low) once each rung is + # clean. + - run: yarn audit --groups dependencies --level high diff --git a/.github/workflows/check-formatting.yml b/.github/workflows/check-formatting.yml deleted file mode 100644 index 931fd4811..000000000 --- a/.github/workflows/check-formatting.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "Check Formatting" - -on: - push: - branches: [main] - pull_request: {} - -jobs: - check: - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Set up Node.js v20 - uses: actions/setup-node@v2.1.5 - with: - node-version: 20 - - name: Build and Format - run: yarn - - name: Check Formatting - run: git diff --exit-code diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5bc9669f9..ddd23b5df 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,67 +1,35 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" +name: codeql on: push: - branches: [ main ] + branches: [main, main-dips] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [main, main-dips] schedule: - cron: '38 7 * * 4' jobs: analyze: - name: Analyze + name: analyze runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + language: ['javascript'] steps: - - name: Checkout repository - uses: actions/checkout@v2 + - name: Checkout repository + uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 + - name: Autobuild + uses: github/codeql-action/autobuild@v3 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 000000000..277c38a11 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,163 @@ +name: docker build + +on: + workflow_dispatch: + push: + branches: + - main + tags: + - v*.*.* + pull_request: {} + +env: + AGENT_IMAGE: ghcr.io/graphprotocol/indexer-agent + CLI_IMAGE: ghcr.io/graphprotocol/indexer-cli + +jobs: + agent: + name: agent (${{ matrix.platform }}) + strategy: + fail-fast: false + matrix: + include: + - platform: amd64 + runner: ubuntu-24.04 + target: linux/amd64 + - platform: arm64 + runner: ubuntu-24.04-arm + target: linux/arm64 + runs-on: ${{ matrix.runner }} + permissions: + packages: write + steps: + - name: Prepare platform pair + run: | + platform=${{ matrix.target }} + echo "PLATFORM_PAIR=${platform//\//-}" >> "$GITHUB_ENV" + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker labels + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.AGENT_IMAGE }} + + - name: Build and push by digest + id: build + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + file: Dockerfile.indexer-agent + platforms: ${{ matrix.target }} + labels: ${{ steps.meta.outputs.labels }} + build-args: NPM_TOKEN=${{ secrets.graphprotocol_npm_token }} + cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} + cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} + outputs: type=image,name=${{ env.AGENT_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }} + + - name: Export digest + if: github.event_name != 'pull_request' + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + if: github.event_name != 'pull_request' + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + agent-manifest: + name: agent (manifest) + needs: agent + if: | + !cancelled() + && needs.agent.result == 'success' + && github.event_name != 'pull_request' + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker tags + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.AGENT_IMAGE }} + tags: | + type=sha + type=ref,event=tag + + # Glob `*` expands to digest-named files written by the build job's Export digest step. + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + # shellcheck disable=SC2046 + # Both substitutions intentionally produce multiple shell args that + # must word-split: jq emits per-tag `-t ` pairs, and printf + # expands the digest glob into one positional per file. + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.AGENT_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.AGENT_IMAGE }}:${{ steps.meta.outputs.version }} + + cli: + name: cli + runs-on: ubuntu-22.04 + permissions: + packages: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Docker meta + id: docker_meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.CLI_IMAGE }} + tags: type=sha + + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Indexer CLI image + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + file: Dockerfile.indexer-cli + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.docker_meta.outputs.tags }} + labels: ${{ steps.docker_meta.outputs.labels }} + build-args: NPM_TOKEN=${{ secrets.graphprotocol_npm_token }} diff --git a/.github/workflows/indexer-agent-image.yml b/.github/workflows/indexer-agent-image.yml deleted file mode 100644 index 72e3cc5a3..000000000 --- a/.github/workflows/indexer-agent-image.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Indexer Agent Image - -on: - workflow_dispatch: - push: - branches: - - main - tags: - - v*.*.* - pull_request: - branches: [main] - -jobs: - build: - runs-on: ubuntu-22.04 - permissions: - packages: write - - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Docker meta - id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: ghcr.io/graphprotocol/indexer-agent - tag-sha: true - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{github.repository_owner}} - password: ${{secrets.GITHUB_TOKEN}} - - name: Setup python - uses: actions/setup-python@v4 - with: - python-version: '3.11' - - name: Set up Node.js v20 - uses: actions/setup-node@v2.1.5 - with: - node-version: 20 - - name: Build and push Indexer Agent image - id: docker_build - uses: docker/build-push-action@v2 - with: - context: . - file: Dockerfile.indexer-agent - # Enabling the line below restricts Docker images to only be built for branches - # push: ${{github.event_name != 'pull_request'}} - push: true - tags: ${{steps.docker_meta.outputs.tags}} - labels: ${{steps.docker_meta.outputs.labels}} - build-args: NPM_TOKEN=${{secrets.graphprotocol_npm_token}} diff --git a/.github/workflows/indexer-cli-image.yml b/.github/workflows/indexer-cli-image.yml deleted file mode 100644 index 4ded8c3dc..000000000 --- a/.github/workflows/indexer-cli-image.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Indexer CLI Image - -on: - workflow_dispatch: - push: - branches: - - main - tags: - - v*.*.* - pull_request: - branches: [main] - -jobs: - build: - runs-on: ubuntu-22.04 - permissions: - packages: write - - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Docker meta - id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: ghcr.io/graphprotocol/indexer-cli - tag-sha: true - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{github.repository_owner}} - password: ${{secrets.GITHUB_TOKEN}} - - name: Setup python - uses: actions/setup-python@v4 - with: - python-version: '3.11' - - name: Set up Node.js v20 - uses: actions/setup-node@v2.1.5 - with: - node-version: 20 - - name: Build and push Indexer CLI image - id: docker_build - uses: docker/build-push-action@v2 - with: - context: . - file: Dockerfile.indexer-cli - # Enabling the line below restricts Docker images to only be built for branches - # push: ${{github.event_name != 'pull_request'}} - push: true - tags: ${{steps.docker_meta.outputs.tags}} - labels: ${{steps.docker_meta.outputs.labels}} - build-args: NPM_TOKEN=${{secrets.graphprotocol_npm_token}} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 000000000..5b99312e2 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,42 @@ +name: lint + +on: + push: + branches: [main] + pull_request: {} + +jobs: + prettier: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'yarn' + - run: yarn install --frozen-lockfile + - run: npx lerna run format + - run: git diff --exit-code + + eslint: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'yarn' + - run: yarn install --frozen-lockfile + - run: npx lerna run lint + - run: git diff --exit-code + + typecheck: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'yarn' + - run: yarn install --frozen-lockfile + - run: npx lerna run compile diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 000000000..22eb38262 --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,20 @@ +name: osv-scanner + +on: + push: + branches: [main] + pull_request: {} + +permissions: + contents: read + +jobs: + scan: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - name: Run OSV scanner + uses: google/osv-scanner-action/osv-scanner-action@v2.3.8 + with: + scan-args: |- + --lockfile=yarn.lock diff --git a/.github/workflows/ci.yml b/.github/workflows/tests.yml similarity index 70% rename from .github/workflows/ci.yml rename to .github/workflows/tests.yml index a7827622d..a519cc87e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/tests.yml @@ -1,7 +1,4 @@ -# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions - -name: CI +name: tests on: push: @@ -9,13 +6,12 @@ on: pull_request: {} jobs: - build: + test: + name: node ${{ matrix.node-version }} strategy: matrix: node-version: [20, 22] - system: - - os: ubuntu-22.04 - runs-on: ${{ matrix.system.os }} + runs-on: ubuntu-22.04 services: postgres: image: postgres:13 @@ -25,26 +21,26 @@ jobs: POSTGRES_PASSWORD: testpass ports: - 5432:5432 - # Set health checks to wait until postgres has started options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: update OS run: | sudo apt-get update sudo apt install -y --no-install-recommends gcc g++ make build-essential - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 + uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} registry-url: https://registry.npmjs.org/ + cache: 'yarn' - run: yarn install --frozen-lockfile env: - NODE_AUTH_TOKEN: ${{secrets.npm_token}} + NODE_AUTH_TOKEN: ${{ secrets.npm_token }} - run: yarn test:ci env: POSTGRES_TEST_HOST: localhost