Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides #1127
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| lint: | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Pin lockfileVersion to 2 | |
| # See CONTRIBUTING.md "Dependency Pins". Modern npm writes v3 | |
| # by default; catching drift here prevents silent format upgrades | |
| # from sneaking in via `npm install`. | |
| run: | | |
| actual=$(jq -r '.lockfileVersion' package-lock.json) | |
| if [ "$actual" != "2" ]; then | |
| echo "::error::package-lock.json lockfileVersion is $actual; expected 2. Regenerate with 'npm install --lockfile-version=2'." | |
| exit 1 | |
| fi | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - uses: ./.github/actions/setup-jfrog | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | |
| env: | |
| cache-name: cache-node-modules | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-build-${{ env.cache-name }}- | |
| ${{ runner.os }}-build- | |
| ${{ runner.os }}- | |
| - name: Check code style | |
| run: | | |
| npm ci | |
| npm run prettier | |
| npm run lint | |
| unit-test: | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| timeout-minutes: 20 | |
| strategy: | |
| matrix: | |
| # LTS versions: 16/18/20 are the currently-supported floor; 22 | |
| # is the active LTS and 24 is the new LTS. Node 14 was dropped | |
| # because the modern npm ecosystem (e.g. @dabh/diagnostics@2.0.7+ | |
| # via winston) ships ES2021 syntax (||=) that Node 14's V8 cannot | |
| # parse. Node 14 has been EOL upstream since April 2023. | |
| node-version: ['16', '18', '20', '22', '24'] | |
| env: | |
| cache-name: cache-node-modules | |
| NYC_REPORT_DIR: coverage_unit_node${{ matrix.node-version }} | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: ./.github/actions/setup-jfrog | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-${{ matrix.node-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ matrix.node-version }}-build-${{ env.cache-name }}- | |
| ${{ runner.os }}-${{ matrix.node-version }}-build- | |
| ${{ runner.os }}-${{ matrix.node-version }}- | |
| - name: Run unit tests | |
| run: | | |
| npm ci | |
| npm run test | |
| - run: tar -cvf ${{ env.NYC_REPORT_DIR }}.tar ${{ env.NYC_REPORT_DIR }} | |
| - name: Store coverage report | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: ${{ env.NYC_REPORT_DIR }} | |
| path: ${{ env.NYC_REPORT_DIR }}.tar | |
| retention-days: 1 | |
| e2e-test: | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| environment: azure-prod | |
| # Cap job time so a wedged matrix entry doesn't hold a runner + | |
| # warehouse session for GitHub's 6-hour default. Tests historically | |
| # complete in <15min; 30min leaves room for warehouse cold-start. | |
| timeout-minutes: 30 | |
| strategy: | |
| # Run all matrix entries even if one fails so a Node-version-specific | |
| # network/TLS regression doesn't hide other versions' results. | |
| fail-fast: false | |
| matrix: | |
| # Matches the unit-test matrix so e2e catches Node-version-specific | |
| # behaviors (TLS/cipher defaults, native fetch interaction, lz4 ABI, | |
| # OAuth crypto APIs) that unit tests with mocked I/O can't surface. | |
| node-version: ['16', '18', '20', '22', '24'] | |
| env: | |
| E2E_HOST: ${{ secrets.DATABRICKS_HOST }} | |
| E2E_PATH: ${{ secrets.TEST_PECO_WAREHOUSE_HTTP_PATH }} | |
| E2E_ACCESS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} | |
| # Include Node version in the suffix so parallel matrix entries | |
| # don't collide on shared E2E table names. Use underscore (not | |
| # hyphen) — hyphens aren't valid in SQL unquoted identifiers, | |
| # and tests build identifiers as `..._${E2E_TABLE_SUFFIX}`. | |
| E2E_TABLE_SUFFIX: ${{ github.sha }}_node${{ matrix.node-version }} | |
| E2E_CATALOG: peco | |
| E2E_SCHEMA: default | |
| E2E_VOLUME: e2etests | |
| cache-name: cache-node-modules | |
| NYC_REPORT_DIR: coverage_e2e_node${{ matrix.node-version }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - uses: ./.github/actions/setup-jfrog | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-${{ matrix.node-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-${{ matrix.node-version }}-build-${{ env.cache-name }}- | |
| ${{ runner.os }}-${{ matrix.node-version }}-build- | |
| ${{ runner.os }}-${{ matrix.node-version }}- | |
| - name: Run e2e tests | |
| run: | | |
| npm ci | |
| NODE_OPTIONS="--max-old-space-size=4096" npm run e2e | |
| - run: tar -cvf ${{ env.NYC_REPORT_DIR }}.tar ${{ env.NYC_REPORT_DIR }} | |
| - name: Store coverage report | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: ${{ env.NYC_REPORT_DIR }} | |
| path: ${{ env.NYC_REPORT_DIR }}.tar | |
| retention-days: 1 | |
| coverage: | |
| needs: [unit-test, e2e-test] | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| env: | |
| cache-name: cache-node-modules | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | |
| with: | |
| path: ~/.npm | |
| key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-build-${{ env.cache-name }}- | |
| ${{ runner.os }}-build- | |
| ${{ runner.os }}- | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| pattern: coverage_* | |
| merge-multiple: true | |
| - name: Unpack coverage reports | |
| run: | | |
| ls -1 coverage_*.tar | xargs -I '{}' -- tar -xvf '{}' | |
| rm coverage_*.tar | |
| - run: ls -la | |
| - name: Coverage | |
| uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: true | |
| verbose: true |