[RND-671] Fix Meadowlark CodeQL scan (#325)

* Add flag to collect coverage on unit tests * Removing vulnerability * Rename job * v0.4.0-pre.2 * Reorganize in PR steps * Updating codeql action version * Adding PR comment --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Ed-Fi-Exchange-OSS · Nov 16, 2023 · 0c08a8f · 0c08a8f
1 parent 0727d95
commit 0c08a8f
Show file tree

Hide file tree

Showing 13 changed files with 273 additions and 178 deletions.
diff --git a/.github/workflows/on-pullrequest.yml b/.github/workflows/on-pullrequest.yml
@@ -29,10 +29,56 @@ jobs:
     name: Scan Actions
     uses: ed-fi-alliance-oss/ed-fi-actions/.github/workflows/repository-scanner.yml@main
 
+  upgrade:
+    # Upgrade packages on PR only to avoid a double update when pushed to main
+    name: Upgrade packages
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: Meadowlark-js
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout the Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0w
+
+      - name: Get changes
+        id: changes
+        run: |
+          suggested=v$(cat lerna.json | jq -r .version)
+          current=$(git describe --tags $(git rev-list --tags --max-count=1))
+          echo "Versions: Lerna: $suggested. Current: $current"
+          echo "changes=$([[ "$suggested" != "$current" ]] && echo true)" >>$GITHUB_OUTPUT
+
+      - name: Update versions
+        if: ${{ ! steps.changes.outputs.changes }}
+        run: npx [email protected] version prerelease --exact --no-git-tag-version --yes
+
+      - name: Set Version
+        if: ${{ ! steps.changes.outputs.changes }}
+        id: set-version
+        run: |
+          version=v$(cat lerna.json | jq -r .version)
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - uses: planetscale/ghcommit-action@4131649dbf2fdf1eb34421702972a5af7b0a8731 #v0.1.18
+        if: ${{ ! steps.changes.outputs.changes }}
+        with:
+          commit_message: "${{steps.set-version.outputs.version}}"
+          repo: ${{ github.repository }}
+          branch: ${{ github.head_ref || github.ref_name }}
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
   analyze-dependencies:
     # This Action will fail if run on anything other than a pull request
     if: github.event_name == 'pull_request'
     name: Analyze Code Dependencies
+    # Not mandatory, but better for this to go after the upgrade since it can change the code.
+    needs: upgrade
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -48,6 +94,8 @@ jobs:
 
   analyze-code:
     name: Analyze Code
+    # Not mandatory, but better for this to go after the upgrade since it can change the code.
+    needs: upgrade
     runs-on: ubuntu-latest
     env:
       SRC_DIR: Meadowlark-js
@@ -79,16 +127,17 @@ jobs:
         run: npm install
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.11.6
+        uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.15.2
         with:
           languages: "typescript"
           setup-python-dependencies: false
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.11.6
+        uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.15.2
 
   lint:
     name: Lint
+    needs: upgrade
     runs-on: ubuntu-latest
 
     steps:
@@ -116,49 +165,6 @@ jobs:
       - name: Linter
         run: npm run test:lint
 
-  upgrade:
-    # Upgrade packages on PR only to avoid a double update when pushed to main
-    name: Upgrade packages
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: Meadowlark-js
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout the Repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0w
-
-      - name: Get changes
-        id: changes
-        run: |
-          suggested=v$(cat lerna.json | jq -r .version)
-          current=$(git describe --tags $(git rev-list --tags --max-count=1))
-          echo "changes=$([[ "$suggested" != "$current" ]] && echo true)" >>$GITHUB_OUTPUT
-
-      - name: Update versions
-        if: ${{ ! steps.changes.outputs.changes }}
-        run: npx [email protected] version prerelease --exact --no-git-tag-version --yes
-
-      - name: Set Version
-        if: ${{ ! steps.changes.outputs.changes }}
-        id: set-version
-        run: |
-          version=v$(cat lerna.json | jq -r .version)
-          echo "version=$version" >> "$GITHUB_OUTPUT"
-
-      - uses: planetscale/ghcommit-action@4131649dbf2fdf1eb34421702972a5af7b0a8731 #v0.1.18
-        if: ${{ ! steps.changes.outputs.changes }}
-        with:
-          commit_message: "${{steps.set-version.outputs.version}}"
-          repo: ${{ github.repository }}
-          branch: ${{ github.head_ref || github.ref_name }}
-        env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
   build:
     name: Build
     needs: lint

diff --git a/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json b/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-elasticsearch-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.1",
+  "version": "0.4.0-pre.2",
   "description": "Meadowlark backend plugin for elasticsearch",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,8 +19,8 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-core": "0.4.0-pre.1",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.1",
+    "@edfi/meadowlark-core": "0.4.0-pre.2",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.2",
     "@elastic/elasticsearch": "^8.10.0",
     "@elastic/transport": "^8.3.4"
   },

diff --git a/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json b/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-mongodb-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.1",
+  "version": "0.4.0-pre.2",
   "description": "Meadowlark backend plugin for MongoDB",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,9 +19,9 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-authz-server": "0.4.0-pre.1",
-    "@edfi/meadowlark-core": "0.4.0-pre.1",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.1",
+    "@edfi/meadowlark-authz-server": "0.4.0-pre.2",
+    "@edfi/meadowlark-core": "0.4.0-pre.2",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.2",
     "async-retry": "^1.3.3",
     "mongodb": "^5.9.0",
     "ramda": "0.29.1"

diff --git a/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json b/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-opensearch-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.1",
+  "version": "0.4.0-pre.2",
   "description": "Meadowlark backend plugin for OpenSearch",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,8 +19,8 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-core": "0.4.0-pre.1",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.1",
+    "@edfi/meadowlark-core": "0.4.0-pre.2",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.2",
     "@opensearch-project/opensearch": "^2.4.0"
   },
   "devDependencies": {

diff --git a/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json b/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@edfi/meadowlark-postgresql-backend",
   "main": "dist/index.js",
-  "version": "0.4.0-pre.1",
+  "version": "0.4.0-pre.2",
   "description": "Meadowlark backend plugin for PostgreSQL",
   "license": "Apache-2.0",
   "publishConfig": {
@@ -19,9 +19,9 @@
     "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose"
   },
   "dependencies": {
-    "@edfi/meadowlark-authz-server": "0.4.0-pre.1",
-    "@edfi/meadowlark-core": "0.4.0-pre.1",
-    "@edfi/meadowlark-utilities": "0.4.0-pre.1",
+    "@edfi/meadowlark-authz-server": "0.4.0-pre.2",
+    "@edfi/meadowlark-core": "0.4.0-pre.2",
+    "@edfi/meadowlark-utilities": "0.4.0-pre.2",
     "pg": "^8.11.3",
     "pg-format": "^1.0.4",
     "ramda": "0.29.1"

diff --git a/Meadowlark-js/lerna.json b/Meadowlark-js/lerna.json
@@ -3,7 +3,7 @@
   "packages": [
     "packages/*"
   ],
-  "version": "0.4.0-pre.1",
+  "version": "0.4.0-pre.2",
   "npmClient": "npm",
   "useWorkspaces": true
 }