From b2d0953bfc5705a3deda9c2340acf6fe14e3e434 Mon Sep 17 00:00:00 2001 From: Marco Ferrari Date: Wed, 20 Nov 2024 10:02:09 +0100 Subject: [PATCH] chore: move npm audit to a dedicate task (#6297) Move 'npm audit' execution to a dedicated target (and corresponding step) so that we can modularize it, and avoid that it blocks that whole test suite. --- .github/workflows/ci.yml | 7 +++++++ Dockerfile | 1 - Makefile | 13 ++++++++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7290e52..95a5e339 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -252,7 +252,14 @@ jobs: - set-build-metadata - build-container-image - build-test-suite-matrix + # Don't fail the entire test suite when: + # - Running npm audit, so we can see test results even if there are + # vulnerable dependencies that might be unrelated to the PR + # - Running the 'test' target because it runs all the tests, including the + # ones that are allowed to fail + continue-on-error: ${{ matrix.test-case == 'npm-audit' || matrix.test-case == 'test' }} strategy: + fail-fast: true matrix: test-case: ${{ fromJson(needs.build-test-suite-matrix.outputs.matrix) }} images: diff --git a/Dockerfile b/Dockerfile index 5d14dd17..9ee29593 100644 --- a/Dockerfile +++ b/Dockerfile @@ -85,7 +85,6 @@ RUN apk add --no-cache \ COPY dependencies/package.json dependencies/package-lock.json / RUN apk add --no-cache --virtual .node-build-deps \ npm \ - && npm audit \ && npm install --strict-peer-deps \ && npm cache clean --force \ && chown -R "$(id -u)":"$(id -g)" node_modules \ diff --git a/Makefile b/Makefile index b0246bf1..0cf3b853 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ all: info docker test ## Run all targets. .PHONY: test -test: info validate-container-image-labels docker-build-check docker-dev-container-build-check test-lib inspec lint-codebase fix-codebase test-default-config-files test-actions-runner-debug test-actions-steps-debug test-runner-debug test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-non-default-home-directory test-git-initial-commit test-git-merge-commit-push test-log-level test-use-find-and-ignore-gitignored-files test-linters-expect-failure-log-level-notice test-bash-exec-library-expect-success test-bash-exec-library-expect-failure test-save-super-linter-output test-save-super-linter-output-custom-path test-save-super-linter-custom-summary test-custom-gitleaks-log-level test-dont-save-super-linter-log-file test-dont-save-super-linter-output test-linters test-linters-fix-mode ## Run the test suite +test: info validate-container-image-labels docker-build-check docker-dev-container-build-check npm-audit test-lib inspec lint-codebase fix-codebase test-default-config-files test-actions-runner-debug test-actions-steps-debug test-runner-debug test-find lint-subset-files test-custom-ssl-cert test-non-default-workdir test-git-flags test-non-default-home-directory test-git-initial-commit test-git-merge-commit-push test-log-level test-use-find-and-ignore-gitignored-files test-linters-expect-failure-log-level-notice test-bash-exec-library-expect-success test-bash-exec-library-expect-failure test-save-super-linter-output test-save-super-linter-output-custom-path test-save-super-linter-custom-summary test-custom-gitleaks-log-level test-dont-save-super-linter-log-file test-dont-save-super-linter-output test-linters test-linters-fix-mode ## Run the test suite # if this session isn't interactive, then we don't want to allocate a # TTY, which would fail, but if it is interactive, we do want to attach @@ -165,6 +165,17 @@ validate-container-image-labels: ## Validate container image labels $(BUILD_REVISION) \ $(BUILD_VERSION) +.PHONY: npm-audit +npm-audit: ## Run npm audit to check for known vulnerable dependencies + docker run $(DOCKER_FLAGS) \ + --entrypoint /bin/bash \ + --rm \ + -v "$(CURDIR)/dependencies/package-lock.json":/package-lock.json \ + -v "$(CURDIR)/dependencies/package.json":/package.json \ + --workdir / \ + $(SUPER_LINTER_TEST_CONTAINER_URL) \ + -c "npm audit" + # For some cases, mount a directory that doesn't have too many files to keep tests short .PHONY: test-actions-runner-debug