Speedups and enhancements for GitHub Actions CI workflows (#477)

* Upgrade step-security/harden-runner v2.6.0 -> v2.10.1 * Downgrade step-security/harden-runner v2.10.1 -> v2.10.0 * Use recommended CI flags for `yarn install` * Upgrade actions/upload-artifact v4.3.3 -> v4.4.0 * Upgrade actions/download-artifact v4.1.7 -> v4.1.8 * Upgrade actions/setup-node v4.0.0 -> v4.0.4 * Mark `fsevents` dependency as optional * Write each test suite coverage report to its own step summary * Add summary link to Test Coverage section of QA Summary comment * Move pusher status and workflow run links to top of comments * Save/restore node_modules to/from common cache * Collapse coverage reports in step summaries * Exclude `**/*.sdl.ts` files from Jest coverage
usdigitalresponse · Oct 4, 2024 · 0a6f7f7 · 0a6f7f7
1 parent c79b821
commit 0a6f7f7
Show file tree

Hide file tree

Showing 16 changed files with 151 additions and 46,723 deletions.
diff --git a/.github/workflows/aws-auth.yml b/.github/workflows/aws-auth.yml
@@ -38,7 +38,7 @@ jobs:
       aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
       aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -157,7 +157,7 @@ jobs:
       attestation-artifacts-key: ${{ env.ATTESTATION_ARTIFACTS_KEY }}
       attestation-artifacts-path: ${{ steps.store-attestations.outputs.path }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -269,7 +269,7 @@ jobs:
           INSPECT_NAME: ${{ inputs.docker-image-registry }}/${{ inputs.api-image-name }}@${{ steps.build-push.outputs.digest }}
       - name: Upload attestations
         if: steps.store-attestations.outcome == 'success'
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ env.ATTESTATION_ARTIFACTS_KEY }}
           path: ${{ steps.store-attestations.outputs.path }}
@@ -293,7 +293,7 @@ jobs:
       attestation-artifacts-key: ${{ env.ATTESTATION_ARTIFACTS_KEY }}
       attestation-artifacts-path: ${{ steps.store-attestations.outputs.path }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -403,7 +403,7 @@ jobs:
           INSPECT_NAME: ${{ inputs.docker-image-registry }}/${{ inputs.console-image-name }}@${{ steps.build-push.outputs.digest }}
       - name: Upload attestations
         if: steps.store-attestations.outcome == 'success'
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ env.ATTESTATION_ARTIFACTS_KEY }}
           path: ${{ steps.store-attestations.outputs.path }}
@@ -427,7 +427,7 @@ jobs:
       artifacts-path: ${{ env.ARTIFACTS_PATH }}
       checksums-sha256: ${{ steps.checksums.outputs.sha256 }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -437,12 +437,12 @@ jobs:
           show-progress: 'false'
           persist-credentials: 'false'
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version-file: .nvmrc
           cache: yarn
       - name: Install dependencies
-        run: yarn install
+        run: yarn install --immutable
       - name: Build the api side
         run: yarn rw build api
         env:
@@ -478,7 +478,7 @@ jobs:
           ENDOFREPORT
           cat "$REPORT_FILE" >> $GITHUB_STEP_SUMMARY
       - name: Upload build artifact
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ env.ARTIFACTS_KEY }}
           path: ${{ env.ARTIFACTS_PATH }}
@@ -501,7 +501,7 @@ jobs:
       artifacts-path: ${{ env.ARTIFACTS_PATH }}
       checksums-sha256: ${{ steps.checksums.outcome.sha256 }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -564,7 +564,7 @@ jobs:
           ENDOFREPORT
           cat "$REPORT_FILE" >> $GITHUB_STEP_SUMMARY
       - name: Upload build artifact
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ env.ARTIFACTS_KEY }}
           path: ${{ env.ARTIFACTS_PATH }}
@@ -587,7 +587,7 @@ jobs:
       artifacts-path: ${{ env.ARTIFACTS_PATH }}
       checksums-sha256: ${{ steps.checksums.outputs.sha256 }}
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -597,13 +597,13 @@ jobs:
           show-progress: 'false'
           persist-credentials: 'false'
       - name: Setup Node
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version-file: .nvmrc
           cache: yarn
           cache-dependency-path: yarn.lock
       - name: Install dependencies
-        run: yarn install
+        run: yarn install --immutable
       - name: Write env vars for build
         run: cat <<< "$DOTENV_FOR_BUILD" >> .env
         env:
@@ -636,7 +636,7 @@ jobs:
           ENDOFREPORT
           cat "$REPORT_FILE" >> $GITHUB_STEP_SUMMARY
       - name: Upload build artifact
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ env.ARTIFACTS_KEY }}
           path: ${{ env.ARTIFACTS_PATH }}

diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -42,7 +42,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
@@ -67,7 +67,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -191,12 +191,12 @@ jobs:
             github.com:443
       - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - name: Download website build artifacts
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.web-artifacts-key }}
           path: ${{ needs.build.outputs.web-artifacts-path }}
       - name: Download docker build attestation artifacts for console image
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.console-attestation-artifacts-key }}
           path: ${{ needs.build.outputs.console-attestation-artifacts-path }}

diff --git a/.github/workflows/publish-qa-results.yml b/.github/workflows/publish-qa-results.yml
@@ -52,17 +52,29 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
         with:
           disable-sudo: true
           egress-policy: audit
+      - name: Create URL to workflow run
+        id: workflow-run-summary-url
+        run: |
+          RUN_URL="$GH_SERVER/$GH_REPO/actions/runs/$GH_RUN_ID"
+          echo "url=$RUN_URL" >> $GITHUB_OUTPUT
+          echo "attempt-url=$RUN_URL/attempts/${{ github.run_attempt }}" >> $GITHUB_OUTPUT
+        env:
+          GH_SERVER: ${{ github.server_url }}
+          GH_REPO: ${{ github.repository }}
+          GH_RUN_ID: ${{ github.run_id }}
       - name: Write the report markdown file
         run: |
           REPORT_FILE=$(mktemp -t summary.md.XXXXX)
           echo "REPORT_FILE=$REPORT_FILE" >> $GITHUB_ENV
           cat >> $REPORT_FILE << 'ENDOFREPORT'
           ## QA Summary
 
+          *Pusher: @${{ env.GH_ACTOR }}, Action: `${{ env.GH_ACTION }}`, Workflow: [`${{ env.GH_WORKFLOW }}`](${{ env.WORKFLOW_RUN_SUMMARY_URL }})*
+
           _[See our documentation for tips on how to resolve failing QA checks.](${{ env.GH_SERVER}}/${{ env.GH_REPO }}/blob/main/docs/resolving-qa-failures.md)_
 
           | QA Check        | Result  |
@@ -76,6 +88,8 @@ jobs:
 
           ### Test Coverage
 
+          _View the [workflow summary](${{ env.WORKFLOW_RUN_SUMMARY_ATTEMPT_URL }}) for individual coverage reports if this comment is truncated._
+
           <details>
           <summary>Coverage report for <code>api</code> suite</summary>
 
@@ -95,8 +109,6 @@ jobs:
           ${{ env.PYTHON_COVERAGE_REPORT }}
 
           </details>
-
-          *Pusher: @${{ env.GH_ACTOR }}, Action: `${{ env.GH_ACTION }}`, Workflow: [`${{ env.GH_WORKFLOW }}`](${{ env.GH_SERVER}}/${{ env.GH_REPO }}/actions/runs/${{ env.GH_RUN_ID }})*
           ENDOFREPORT
         env:
           API_TEST_OUTCOME: ${{ inputs.api-test-outcome }}
@@ -108,6 +120,8 @@ jobs:
           ESLINT_OUTCOME: ${{ inputs.eslint-outcome }}
           RUFF_OUTCOME: ${{ inputs.ruff-outcome }}
           TFLINT_OUTCOME: ${{ inputs.tflint-outcome }}
+          WORKFLOW_RUN_SUMMARY_URL: ${{ steps.workflow-run-summary-url.outputs.url }}
+          WORKFLOW_RUN_SUMMARY_ATTEMPT_URL: ${{ steps.workflow-run-summary-url.outputs.attempt-url }}
           GH_ACTOR: ${{ github.actor }}
           GH_ACTION: ${{ github.event_name }}
           GH_WORKFLOW: ${{ github.workflow }}

diff --git a/.github/workflows/publish-terraform-plan.yml b/.github/workflows/publish-terraform-plan.yml
@@ -56,6 +56,8 @@ jobs:
           cat >> $REPORT_FILE << 'ENDOFREPORT'
           ## Terraform Summary
 
+          *Pusher: @${{ env.GH_ACTOR }}, Action: `${{ env.GH_ACTION }}`, Workflow: [`${{ env.GH_WORKFLOW }}`](${{ env.GH_SERVER}}/${{ env.GH_REPO }}/actions/runs/${{ env.GH_RUN_ID }})*
+
           | Step                         | Result  |
           |:-----------------------------|:-------:|
           | 🖌  Terraform Format & Style | ${{ (env.TF_FMT_OUTCOME == 'success' && '✅') || (env.TF_FMT_OUTCOME == 'skipped' && '➖') || '❌'  }} |
@@ -82,8 +84,6 @@ jobs:
           ${{ env.TF_PLAN_SUMMARY }}
 
           </details>
-
-          *Pusher: @${{ env.GH_ACTOR }}, Action: `${{ env.GH_ACTION }}`, Workflow: [`${{ env.GH_WORKFLOW }}`](${{ env.GH_SERVER}}/${{ env.GH_REPO }}/actions/runs/${{ env.GH_RUN_ID }})*
           ENDOFREPORT
         env:
           TF_FMT_OUTCOME: ${{ inputs.tf-fmt-outcome }}