diff --git a/.githooks/pre-commit b/.githooks/pre-commit new file mode 100755 index 000000000000..e9109dde58a1 --- /dev/null +++ b/.githooks/pre-commit @@ -0,0 +1,12 @@ +#!/usr/bin/env sh +set -eu + +# ensure gitleaks is available +if ! command -v gitleaks >/dev/null 2>&1; then + echo "Error: gitleaks is not installed or not in PATH." >&2 + echo "Install: https://github.com/gitleaks/gitleaks#install" >&2 + exit 1 +fi + +# scan for secrets before commit +gitleaks protect -v --staged diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8822f0f78ce4..24b2d8bc30fe 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,9 +1,10 @@ -# This file pairs with the automated code review assignment setting to make that system work -# https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/managing-code-review-assignment-for-your-team - -# Docs: https://help.github.com/articles/about-codeowners/ - - -# default owners for the entire repo -* @GoogleChrome/lighthouse-hackers +# Pipelines Codeowners rules +.github/** @quanta-computing/owners-pipelines +.yamlfix.toml @quanta-computing/owners-pipelines + +# Security Codeowners rules +.gitleaks.toml @quanta-computing/owners-security +.gitleaksignore @quanta-computing/owners-security +.githooks/pre-commit @quanta-computing/owners-security +**/secu-*.yml @quanta-computing/owners-security diff --git a/.github/ISSUE_TEMPLATE/Feature_request.md b/.github/ISSUE_TEMPLATE/Feature_request.md deleted file mode 100644 index 375b26ed5b66..000000000000 --- a/.github/ISSUE_TEMPLATE/Feature_request.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Feature request -about: Suggest an idea to us! - ---- - - - - - -**Feature request summary** - - - - -**What is the motivation or use case for changing this?** - - -**How is this beneficial to Lighthouse?** - diff --git a/.github/ISSUE_TEMPLATE/Other.md b/.github/ISSUE_TEMPLATE/Other.md deleted file mode 100644 index 1e534bbcc5d9..000000000000 --- a/.github/ISSUE_TEMPLATE/Other.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -name: Other -about: Throw something out there! - ---- - - -**Summary** - diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml deleted file mode 100644 index 1670eafe5323..000000000000 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: Bug Report -description: Report something working incorrectly -labels: [bug] -body: - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! - - type: checkboxes - id: faq - attributes: - label: FAQ - description: Please double check that this isn't one of our most common questions already answered by [documentation]((https://github.com/GoogleChrome/lighthouse/blob/master/docs). - options: - - label: Yes, my issue is not about [variability](https://github.com/GoogleChrome/lighthouse/blob/master/docs/variability.md) or [throttling](https://github.com/GoogleChrome/lighthouse/blob/master/docs/throttling.md). - required: true - - label: Yes, my issue is not about a specific accessibility audit (file with [axe-core](https://github.com/dequelabs/axe-core) instead). - required: true - - type: input - id: url - attributes: - label: URL - description: What URL did you run Lighthouse on? If this happened locally, please upload a minimal repro to a public location (e.g. https://glitch.com/, http://jsbin.com/, etc) - placeholder: https://example.com - validations: - required: true - - type: textarea - id: what-happened - attributes: - label: What happened? - description: A brief description of the behavior you observed. - placeholder: Tell us what you saw! - validations: - required: true - - type: textarea - id: what-expected - attributes: - label: What did you expect? - description: A brief description of the behavior you _expected_. - placeholder: Tell us what you expected to see instead! - validations: - required: true - - type: textarea - id: what-debug - attributes: - label: What have you tried? - description: A brief description of the steps you have already taken to debug the behavior. - placeholder: Tell us what you've already tried to know it is a Lighthouse bug. - validations: - required: false - - type: dropdown - id: channels - attributes: - label: How were you running Lighthouse? - description: Where were you running Lighthouse when you observed this behavior? - multiple: true - options: - - CLI - - node - - PageSpeed Insights - - Chrome DevTools - - WebPageTest - validations: - required: true - - type: input - id: version - attributes: - label: Lighthouse Version - description: > - What version of Lighthouse were you using? The version of Lighthouse can be found at the bottom of every report. (Note: if using the CLI, you should be using the latest version, see https://github.com/GoogleChrome/lighthouse/releases) - validations: - required: true - - type: input - id: chromeversion - attributes: - label: Chrome Version - description: > - What version of Chrome were you using? (Only applicable if you ran locally using Node, the CLI or DevTools) (Note: you should be using at least the Stable version of Chrome, see https://chromiumdash.appspot.com/releases. If you are not on a recent version, first try upgrading Chrome.) - validations: - required: false - - type: input - id: nodeversion - attributes: - label: Node Version - description: > - What version of node.js were you using? (Only applicable to CLI and node) (Note: the minimum Node version we support is 14.15.0) - validations: - required: false - - type: input - id: os - attributes: - label: OS - description: > - What OS are you using? (Note: specific granularity not necessary, enough to say Windows / Mac / Linux, etc.) - validations: - required: false - - type: textarea - id: logs - attributes: - label: Relevant log output - description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. - render: shell diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 87ec304999c6..000000000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,16 +0,0 @@ - - -**Summary** - - - - - - - -**Related Issues/PRs** - diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000000..db9902bde94f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: '/' + schedule: + interval: monthly + open-pull-requests-limit: 50 + labels: + - 'dependencies' + - 'gha' diff --git a/.github/scripts/bump-nightly-version.sh b/.github/scripts/bump-nightly-version.sh deleted file mode 100644 index fb9b1c48e755..000000000000 --- a/.github/scripts/bump-nightly-version.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -## -# @license Copyright 2020 The Lighthouse Authors. All Rights Reserved. -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -## - -set -euxo pipefail - -DATE=$(date --date=yesterday '+%Y%m%d') -PATCH=$(node -e "console.log(require('./package.json').version)") -node lighthouse-core/scripts/release/bump-versions.js "$PATCH-dev.$DATE" diff --git a/.github/scripts/generate-devtools-hash.sh b/.github/scripts/generate-devtools-hash.sh deleted file mode 100644 index adc8eb905313..000000000000 --- a/.github/scripts/generate-devtools-hash.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash - -## -# @license Copyright 2021 The Lighthouse Authors. All Rights Reserved. -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -## - -# Prints to stdout text that, when it changes, indicates that the devtools tests -# should be run again. - -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -LH_ROOT="$SCRIPT_DIR/../.." -cd "$LH_ROOT" - -bash .github/scripts/print-devtools-relevant-commits.sh -md5 \ - .github/workflows/devtools.yml \ - build/build-bundle.js \ - build/build-dt-report-resources.js \ - clients/devtools-entry.js \ - report/**/*.js \ - lighthouse-core/test/chromium-web-tests/* \ - third-party/chromium-webtests/webtests/http/tests/devtools/lighthouse/*.js diff --git a/.github/scripts/git-get-shared-history.sh b/.github/scripts/git-get-shared-history.sh deleted file mode 100755 index 3d07bb2441d9..000000000000 --- a/.github/scripts/git-get-shared-history.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/env bash - -## -# @license Copyright 2020 The Lighthouse Authors. All Rights Reserved. -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -## - -set -euxo pipefail - -# Overview: -# - build-tracker (https://lh-build-tracker.herokuapp.com/) relies on a common commit that's shared between HEAD and master. -# - Lighthouse runs on pull_request, not push, so the checkout is not the branch with shared history, but the result of a merge. -# - checkout@v2 uses a merge remote (eg. remotes/pull/9605/merge) that often has just a single commit. -# - This script creates a new branch that matches the current checkout, but does have a shared history. - -# See also -# - https://github.com/paularmstrong/build-tracker/issues/106 -# - https://github.com/paularmstrong/build-tracker/issues/200 - -if [[ -z "$BT_API_AUTH_TOKEN" ]]; then - echo "Build tracker auth token not available, skipping git deepening." - exit 0 -fi - -# We can always use some more history -git -c protocol.version=2 fetch --deepen=100 -echo "History is deepened." - -if git merge-base HEAD origin/master > /dev/null; then - echo "We have a common commit w/ origin/master. Skipping this script…"; - exit 0 -else - echo "We don't have a common commit w/ origin/master. We'll checkout the associated branch, merge master, and then we'll be good" -fi - -# get the human readable remote name -checkout_name=$(git describe --all --exact-match HEAD) - - -# We only want to keep going if it's a 'remotes/pull/{*}/merge' -if [[ $checkout_name != remotes/pull/*/merge ]]; then - echo "Don't know how to handle this checkout ($checkout_name). 🤔 Bailing."; - exit 0; -fi - -# Extract 9605 from 'remotes/pull/9605/merge' -pr_num=${checkout_name//[!0-9]/} - -lsremote_hash=$(git ls-remote origin "refs/pull/$pr_num/head" | cut -f1) - -if [ -z "$lsremote_hash" ]; then - echo "ls-remote failed to find this PR's branch. 🤔 Bailing."; - exit 0; -fi - -# Checkout our PR branch -git checkout --progress --force "$lsremote_hash" - -# Branch off, for safekeeping -mergebranch_name="_bt_mergebranch-$pr_num" -git checkout -b "$mergebranch_name" - -# Merge 'n commit -git -c "user.name=LH GH Action bot" -c "user.email=ghbot@lighthouse.repo" merge --no-verify \ - -m "Merge remote-tracking branch 'origin/master' into $mergebranch_name" origin/master - -# If there's a diff aginst where we started.. we fucked up -if git --no-pager diff --color=always --exit-code "$checkout_name" > /dev/null; then - echo "No diff, good!" -else - echo "Unexpected difference between $mergebranch_name and $checkout_name. Bailing"; - exit 0; -fi - -# Lastly, now we should definitely have a merge-base. -if git merge-base HEAD origin/master > /dev/null; then - echo "Merge-base found. Perfect. 👌" -else - echo "No diff, but still no merge-base. Very unexpected. 🤔" -fi diff --git a/.github/scripts/jest-retry.sh b/.github/scripts/jest-retry.sh deleted file mode 100644 index 2f902e98a079..000000000000 --- a/.github/scripts/jest-retry.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -# Ex: bash jest-retry.sh yarn test-viewer - -## -# @license Copyright 2021 The Lighthouse Authors. All Rights Reserved. -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -## - -set -euxo pipefail - -$* || $* --onlyFailures diff --git a/.github/scripts/print-devtools-relevant-commits.sh b/.github/scripts/print-devtools-relevant-commits.sh deleted file mode 100644 index 63bb90927409..000000000000 --- a/.github/scripts/print-devtools-relevant-commits.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -## -# @license Copyright 2021 The Lighthouse Authors. All Rights Reserved. -# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -## - -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -LH_ROOT="$SCRIPT_DIR/../.." -CDT_DIR="$LH_ROOT/.tmp/chromium-web-tests/devtools/devtools-frontend" - -if [ -d "$CDT_DIR" ] -then - cd "$CDT_DIR" -elif [ -d "$LH_ROOT/.tmp/cdt-repo-for-hash/devtools-frontend" ] -then - cd "$LH_ROOT/.tmp/cdt-repo-for-hash/devtools-frontend" -else - mkdir -p "$LH_ROOT/.tmp/cdt-repo-for-hash" - cd "$LH_ROOT/.tmp/cdt-repo-for-hash" - git clone --depth=1 https://chromium.googlesource.com/devtools/devtools-frontend.git - cd devtools-frontend -fi - -git fetch -git --no-pager log -1 origin/main -- front_end/panels/lighthouse -git --no-pager log -1 origin/main -- front_end/third_party/lighthouse -git --no-pager log -1 origin/main -- front_end/entrypoints/lighthouse_worker diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 000000000000..b570ea8ae55f --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,26 @@ +name: actionlint + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + workflow_dispatch: + pull_request: + branches: + - master + paths: + - ".github/**" + +jobs: + action-lint: + runs-on: ubuntu-24.04 + steps: + - name: Checkout sources + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Ensure SHA pinned actions + uses: centreon/github-actions-ensure-sha-pinned-actions@47d553c67ceb08ad660deaeb3b994e47a3dd8fc3 # v3.0.23.3 + with: + allowlist: | + centreon/security-tools diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 5236c7da0eca..000000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: CI - -on: - push: - branches: [master] - pull_request: # run on all PRs, not just PRs to a particular branch - -jobs: - # `basics` includes all non-smoke and non-unit CI - basics: - runs-on: ubuntu-latest - - # A few steps are duplicated across all jobs. Can be done better when this feature lands: - # https://github.community/t/reusing-sharing-inheriting-steps-between-jobs-declarations/16851 - # https://github.com/actions/runner/issues/438 - steps: - - name: git clone - uses: actions/checkout@v2 - with: - fetch-depth: 100 - - run: bash lighthouse-core/scripts/github-actions-commit-range.sh - env: - GITHUB_CONTEXT_PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} - GITHUB_CONTEXT_BASE_SHA: ${{ github.event.before }} - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-all - - # Run tests that require headfull Chrome. - - run: sudo apt-get install xvfb - - name: yarn test-clients - run: xvfb-run --auto-servernum bash $GITHUB_WORKSPACE/.github/scripts/jest-retry.sh yarn test-clients - - name: yarn test-docs - run: xvfb-run --auto-servernum yarn test-docs - - name: yarn test-viewer - run: xvfb-run --auto-servernum bash $GITHUB_WORKSPACE/.github/scripts/jest-retry.sh yarn test-viewer - - name: yarn test-treemap - run: xvfb-run --auto-servernum bash $GITHUB_WORKSPACE/.github/scripts/jest-retry.sh yarn test-treemap - - - run: yarn diff:sample-json - - run: yarn type-check - - run: yarn lint - - run: yarn test-lantern - - run: yarn test-legacy-javascript - - run: yarn i18n:checks - - run: yarn dogfood-lhci - - run: bash lighthouse-core/scripts/copy-util-commonjs.sh - - # Fail if any changes were written to any source files or generated untracked files (ex, from: build/build-cdt-lib.js). - - run: git add -A && git diff --cached --exit-code - - # buildtracker needs history and a common merge commit. - - name: Fixup git history (for buildtracker) - run: bash $GITHUB_WORKSPACE/.github/scripts/git-get-shared-history.sh - env: - # https://buildtracker.dev/docs/guides/github-actions#configuration - BT_API_AUTH_TOKEN: ${{ secrets.BT_API_AUTH_TOKEN }} - - name: Store in buildtracker - # TODO(paulirish): Don't allow this to fail the build. https://github.com/paularmstrong/build-tracker/issues/200 - run: yarn bt-cli upload-build || true - env: - # https://buildtracker.dev/docs/guides/github-actions#configuration - BT_API_AUTH_TOKEN: ${{ secrets.BT_API_AUTH_TOKEN }} - - - name: Upload dist - uses: actions/upload-artifact@v1 - with: - name: dist - path: dist/ diff --git a/.github/workflows/cron-weekly.yml b/.github/workflows/cron-weekly.yml deleted file mode 100644 index 688364ebe489..000000000000 --- a/.github/workflows/cron-weekly.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Markdown Links Check -# runs every monday at 9 am -on: - schedule: - - cron: "0 9 * * 1" - -jobs: - check-links: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 - # checks all markdown files from /docs including all subfolders - with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' - config-file: '.github/workflows/markdown.links.config.json' - folder-path: 'docs/' - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 - # checks all markdown files from root but ignores subfolders - with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' - config-file: '.github/workflows/markdown.links.config.json' - max-depth: 0 - - up-to-date-with-chromium: - runs-on: ubuntu-latest - - steps: - - name: git clone - uses: actions/checkout@v2 - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - run: yarn --frozen-lockfile - - - run: yarn jest --testMatch="**/third-party/chromium-synchronization/*-test.js" diff --git a/.github/workflows/devtools.yml b/.github/workflows/devtools.yml deleted file mode 100644 index b2175ee3c85f..000000000000 --- a/.github/workflows/devtools.yml +++ /dev/null @@ -1,75 +0,0 @@ -name: DevTools - -on: - push: - branches: [master] - pull_request: # run on all PRs, not just PRs to a particular branch - -jobs: - integration: - runs-on: macos-latest # while macbots are much slower, linux reliably crashes running this - - steps: - - name: Set $DEPOT_TOOLS_PATH - run: echo "DEPOT_TOOLS_PATH=$GITHUB_WORKSPACE/depot-tools" >> $GITHUB_ENV - - name: Set $DEVTOOLS_PATH - run: echo "DEVTOOLS_PATH=$GITHUB_WORKSPACE/devtools-frontend" >> $GITHUB_ENV - - name: Set $BLINK_TOOLS_PATH - run: echo "BLINK_TOOLS_PATH=$GITHUB_WORKSPACE/blink_tools" >> $GITHUB_ENV - - name: Set $PATH - run: echo "$DEPOT_TOOLS_PATH" >> $GITHUB_PATH - - - name: git clone - uses: actions/checkout@v2 - with: - path: lighthouse - - - name: Generate cache hash - run: bash $GITHUB_WORKSPACE/lighthouse/.github/scripts/generate-devtools-hash.sh > cdt-test-hash.txt - - name: Cache depot tools, devtools, blink tools and content shell - uses: actions/cache@v2 - with: - path: | - ${{ env.DEPOT_TOOLS_PATH }} - ${{ env.DEVTOOLS_PATH }} - ${{ env.BLINK_TOOLS_PATH }} - ${{ github.workspace }}/lighthouse/.tmp/chromium-web-tests/content-shells - # The number is how many times this hash key was manually updated to break the cache. - key: ${{ runner.os }}-2-${{ hashFiles('cdt-test-hash.txt') }} - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn --frozen-lockfile - working-directory: ${{ github.workspace }}/lighthouse - - run: yarn build-report - working-directory: ${{ github.workspace }}/lighthouse - - run: yarn build-devtools - working-directory: ${{ github.workspace }}/lighthouse - - - name: Download depot tools - run: bash $GITHUB_WORKSPACE/lighthouse/lighthouse-core/test/chromium-web-tests/download-depot-tools.sh - - name: Download DevTools Frontend - run: bash $GITHUB_WORKSPACE/lighthouse/lighthouse-core/test/chromium-web-tests/download-devtools.sh - - name: Download Blink Tools - run: bash $GITHUB_WORKSPACE/lighthouse/lighthouse-core/test/chromium-web-tests/download-blink-tools.sh - - name: Download Content Shell - run: bash $GITHUB_WORKSPACE/lighthouse/lighthouse-core/test/chromium-web-tests/download-content-shell.sh - - - name: Install python deps - run: pip install six requests - - - name: Run Web Tests - run: bash $GITHUB_WORKSPACE/lighthouse/lighthouse-core/test/chromium-web-tests/run-web-tests.sh - - - name: Print diff - if: failure() - run: find "$GITHUB_WORKSPACE/lighthouse/.tmp/layout-test-results/retry_3" -name '*-diff.txt' -exec cat {} \; - - name: Upload results - uses: actions/upload-artifact@v2 - if: failure() - with: - name: results - path: ${{ github.workspace }}/lighthouse/.tmp/layout-test-results diff --git a/.github/workflows/issue-assigner.yml b/.github/workflows/issue-assigner.yml deleted file mode 100644 index 3982d139a8e1..000000000000 --- a/.github/workflows/issue-assigner.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: 'Issue assigner' -on: - issues: - types: [opened] -jobs: - assign: - runs-on: ubuntu-latest - steps: - - uses: patrickhulce/issue-assigner@eeec7a10bd3c02f02d2284fc82a8adabdc001869 - with: - GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' - maintainers: 'paulirish,connorjclark,adamraine,brendankenny' diff --git a/.github/workflows/markdown.links.config.json b/.github/workflows/markdown.links.config.json deleted file mode 100644 index c209480ab842..000000000000 --- a/.github/workflows/markdown.links.config.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "ignorePatterns": [ - { - "pattern": "^http://www.tmeter.ru" - }, - { - "pattern": "https://github.com/GoogleChrome/lighthouse/workflows/\uD83D\uDCA1\uD83C\uDFE0/badge.svg" - } - ] -} diff --git a/.github/workflows/package-test.yml b/.github/workflows/package-test.yml deleted file mode 100644 index e977cbc826f4..000000000000 --- a/.github/workflows/package-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: package-test - -on: - push: - branches: [master] - pull_request: # run on all PRs, not just PRs to a particular branch - -jobs: - package-test: - runs-on: ubuntu-latest - name: Package Test - - steps: - - name: git clone - uses: actions/checkout@v2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - run: sudo apt-get install xvfb - - - run: xvfb-run --auto-servernum bash $GITHUB_WORKSPACE/lighthouse-core/scripts/release/package-test.sh - - # Fail if any changes were written to source files. - - run: git diff --exit-code diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 8fcd9f5dfb35..000000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Publish nightly -on: - schedule: - - cron: '0 5 * * *' - workflow_dispatch: {} - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - uses: actions/setup-node@v1 - with: - node-version: 14.x - registry-url: https://registry.npmjs.org/ - - run: yarn --frozen-lockfile - - # Build report bundles needed for publishing. - - run: yarn build-report - - - name: Publish to npm - run: | - npm whoami - bash $GITHUB_WORKSPACE/.github/scripts/bump-nightly-version.sh - npm publish --tag next - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} - CI: true diff --git a/.github/workflows/secu-dependency-scan.yml b/.github/workflows/secu-dependency-scan.yml new file mode 100644 index 000000000000..5f9dc58fb93a --- /dev/null +++ b/.github/workflows/secu-dependency-scan.yml @@ -0,0 +1,17 @@ +name: dependency-scan + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + +on: + pull_request: + paths: + - '**' + - '!lib/crates/**' + - '!tests/**' + + workflow_dispatch: + +jobs: + dependency-scan: + uses: centreon/security-tools/.github/workflows/dependency-analysis.yml@main diff --git a/.github/workflows/secu-secret-scan.yml b/.github/workflows/secu-secret-scan.yml new file mode 100644 index 000000000000..b6dc4bb06ebc --- /dev/null +++ b/.github/workflows/secu-secret-scan.yml @@ -0,0 +1,12 @@ +name: secrets-scan + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + +on: + pull_request: + workflow_dispatch: + +jobs: + secrets-scan: + uses: centreon/security-tools/.github/workflows/gitleaks-analysis.yml@main diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml deleted file mode 100644 index 95d04f4f69da..000000000000 --- a/.github/workflows/smoke.yml +++ /dev/null @@ -1,167 +0,0 @@ -name: smoke - -on: - push: - branches: [master] - pull_request: # run on all PRs, not just PRs to a particular branch - -jobs: - # `smoke` runs as a matrix across 4 jobs: - # * The smoke tests are split into two batches, to parallelize. - # * Then, those are run with both Chrome stable and ToT Chromium, in parallel - smoke: - strategy: - matrix: - chrome-channel: ['stable', 'ToT'] - smoke-test-shard: [1, 2] - # e.g. if set 1 fails, continue with set 2 anyway - fail-fast: false - runs-on: ubuntu-latest - env: - # The total number of shards. Set dynamically when length of single matrix variable is - # computable. See https://github.community/t/get-length-of-strategy-matrix-or-get-all-matrix-options/18342 - SHARD_TOTAL: 2 - # Job named e.g. "Chrome stable, batch 1". - name: Chrome ${{ matrix.chrome-channel }}, batch ${{ matrix.smoke-test-shard }} - - steps: - - name: git clone - uses: actions/checkout@v2 - with: - # Depth of at least 2 for codecov coverage diffs. See https://github.com/GoogleChrome/lighthouse/pull/12079 - fetch-depth: 2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - name: Define ToT chrome path - if: matrix.chrome-channel == 'ToT' - run: echo "CHROME_PATH=/home/runner/chrome-linux-tot/chrome" >> $GITHUB_ENV - - # Chrome Stable is already installed by default. - - name: Install Chrome ToT - if: matrix.chrome-channel == 'ToT' - working-directory: /home/runner - run: bash $GITHUB_WORKSPACE/lighthouse-core/scripts/download-chrome.sh && mv chrome-linux chrome-linux-tot - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - run: yarn reset-link - - - run: sudo apt-get install xvfb - - name: Run smoke tests - run: | - xvfb-run --auto-servernum yarn c8 yarn smoke --debug -j=1 --retries=2 --shard=${{ matrix.smoke-test-shard }}/$SHARD_TOTAL - yarn c8 report --reporter text-lcov > smoke-coverage.lcov - - - name: Upload test coverage to Codecov - if: matrix.chrome-channel == 'ToT' - uses: codecov/codecov-action@6004246f47ab62d32be025ce173b241cd84ac58e - with: - flags: smoke - file: ./smoke-coverage.lcov - - # Fail if any changes were written to source files. - - run: git diff --exit-code - - - name: Upload dist - if: failure() - uses: actions/upload-artifact@v1 - with: - name: Smokehouse (ubuntu; chrome ${{ matrix.chrome-channel }}) - path: .tmp/smokehouse-ci-failures/ - - # Only run smoke tests for windows against stable chrome. - smoke-windows: - runs-on: windows-latest - name: Windows - - steps: - - name: git clone - uses: actions/checkout@v2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - - name: Run smoke tests - # Windows bots are slow, so only run enough tests to verify matching behavior. - run: yarn smoke --debug -j=1 --retries=2 dbw oopif offline lantern metrics - - # Fail if any changes were written to source files. - - run: git diff --exit-code - - - name: Upload dist - if: failure() - uses: actions/upload-artifact@v1 - with: - name: Smokehouse (windows) - path: .tmp/smokehouse-ci-failures/ - - smoke-fr: - runs-on: ubuntu-latest - name: Fraggle Rock - - steps: - - name: git clone - uses: actions/checkout@v2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - run: yarn reset-link - - - run: sudo apt-get install xvfb - - name: yarn smoke --fraggle-rock - run: xvfb-run --auto-servernum yarn smoke --debug --fraggle-rock -j=1 --retries=2 --invert-match pwa offline - - # Fail if any changes were written to source files. - - run: git diff --exit-code - - - name: Upload dist - if: failure() - uses: actions/upload-artifact@v1 - with: - name: Smokehouse (fr) - path: .tmp/smokehouse-ci-failures/ - - smoke-bundle: - runs-on: ubuntu-latest - name: Bundled Lighthouse - - steps: - - name: git clone - uses: actions/checkout@v2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - run: yarn build-devtools - - - run: sudo apt-get install xvfb - - name: yarn test-bundle - run: xvfb-run --auto-servernum yarn test-bundle - - # Fail if any changes were written to source files. - - run: git diff --exit-code - - - name: Upload dist - if: failure() - uses: actions/upload-artifact@v1 - with: - name: Smokehouse (bundled) - path: .tmp/smokehouse-ci-failures/ diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml deleted file mode 100644 index 60281c7eb779..000000000000 --- a/.github/workflows/unit.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: unit - -on: - push: - branches: [master] - pull_request: # run on all PRs, not just PRs to a particular branch - -jobs: - # `unit` includes just unit and proto tests. - unit: - strategy: - matrix: - node: ['14', '16', '17'] - runs-on: ubuntu-latest - name: node ${{ matrix.node }} - env: - LATEST_NODE: '17' - - steps: - - name: git clone - uses: actions/checkout@v2 - with: - # Depth of at least 2 for codecov coverage diffs. See https://github.com/GoogleChrome/lighthouse/pull/12079 - fetch-depth: 2 - - - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node }} - - - name: Set up protoc - uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 - with: - version: '3.7.1' - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Python - uses: actions/setup-python@v1 - with: - python-version: 2.7 - - name: Install Python dependencies - run: | - python -m pip install --upgrade pip - pip install protobuf==3.7.1 - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - - run: yarn test-proto # Run before unit-core because the roundtrip json is needed for proto tests. - - - run: sudo apt-get install xvfb - - - name: yarn unit - if: ${{ matrix.node != env.LATEST_NODE }} - run: xvfb-run --auto-servernum yarn unit:ci - - # Only gather coverage on latest node, where c8 is the most accurate. - - name: yarn unit:coverage - if: ${{ matrix.node == env.LATEST_NODE }} - run: | - xvfb-run --auto-servernum yarn unit:cicoverage - yarn c8 report --reporter text-lcov > unit-coverage.lcov - - name: Upload test coverage to Codecov - if: ${{ matrix.node == env.LATEST_NODE }} - uses: codecov/codecov-action@6004246f47ab62d32be025ce173b241cd84ac58e - with: - flags: unit - file: ./unit-coverage.lcov - - # For windows, just test the potentially platform-specific code. - unit-windows: - runs-on: windows-latest - name: Windows - - steps: - - name: git clone - uses: actions/checkout@v2 - - - name: Use Node.js 14.x - uses: actions/setup-node@v1 - with: - node-version: 14.x - - - run: yarn install --frozen-lockfile --network-timeout 1000000 - - run: yarn build-report - - - name: yarn unit-cli - run: yarn unit-cli - - run: yarn diff:sample-json - - # Fail if any changes were written to any source files or generated untracked files (ex, from -GA). - - run: git add -A && git diff --cached --exit-code diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 000000000000..65c408873152 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,22 @@ +title = "Gitleaks custom rules" + +[extend] +useDefault = true + +[allowlist] +paths = [ + '''node_modules\/''', + '''vendor\/''', + '''(.*?)\.rptlibrary''', + '''package\.json''', + '''package-lock\.json''', + '''composer\.json''', + '''composer\.lock''', + '''\.gitleaks\.toml$''', + '''(.*?)(jpg|gif|doc|pdf|bin)$''' +] + +regexTarget = "match" +regexes = [ + '''ABCDEFG1234567890''' +] diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 000000000000..e69de29bb2d1