fix(deps): Require at least nokogiri 1.16.2 to avoid CVE-2024-25062 #43
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dev | |
on: | |
pull_request: | |
types: [opened, reopened, synchronize] | |
permissions: | |
contents: read | |
jobs: | |
setup_pr: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
issues: write | |
pull-requests: write | |
# Dependabot no longer have access to secrets unless we move to pull_request_target. | |
# Read more: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions | |
if: ${{ github.actor != 'dependabot[bot]' }} | |
steps: | |
# Remove review_ready label when new commit push to PR | |
- name: Remove review_ready label | |
if: ${{ contains(github.event.pull_request.labels.*.name, 'review_ready') }} | |
uses: actions/github-script@v7 | |
with: | |
# Fallback to github action token with limited access | |
# when DevOps token isn't available this happens on dependabot. | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.removeLabel({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
name: 'review_ready' | |
}) | |
# Add wip label when new commit push to PR | |
- name: Add wip label | |
if: ${{ !contains(github.event.pull_request.labels.*.name, 'wip') }} | |
uses: actions/github-script@v7 | |
with: | |
# Fallback to github action token with limited access | |
# when DevOps token isn't available this happens on dependabot. | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
github.rest.issues.addLabels({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
labels: ['wip'] | |
}) | |
rubocop: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v3 | |
with: | |
path: vendor/bundle | |
key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} | |
restore-keys: | | |
${{ runner.os }}-gems- | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: '3.0' | |
bundler-cache: false | |
- name: Install dependencies | |
run: bundle install --jobs 4 --retry 3 | |
- name: Run RuboCop | |
run: bundle exec rubocop --parallel | |
codespell: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.8 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install codespell | |
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
- name: Check spelling with codespell | |
run: codespell --ignore-words=codespell.txt || exit 1 | |
unit_test: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
gemfile: | |
- rails_5.2_stable | |
- rails_6.0_stable | |
- rails_6.1_stable | |
- rails_7.0_stable | |
- rails_7.1_stable | |
- rails_edge | |
ruby: ['2.7', '3.0', '3.1', '3.2', '3.3'] | |
exclude: | |
- ruby: '3.0' | |
gemfile: rails_5.2_stable | |
- ruby: '3.1' | |
gemfile: rails_5.2_stable | |
- ruby: '3.2' | |
gemfile: rails_5.2_stable | |
- ruby: '3.3' | |
gemfile: rails_5.2_stable | |
- ruby: '2.7' | |
gemfile: rails_edge | |
- ruby: '3.0' | |
gemfile: rails_edge | |
env: | |
BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.gemfile }}.gemfile | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ matrix.ruby }} | |
bundler-cache: true | |
- name: Suppress git warnings | |
run: git config --global init.defaultBranch main | |
- name: Run RSpec | |
run: bundle exec rspec | |
- name: Coveralls Parallel | |
uses: coverallsapp/github-action@v2 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
flag-name: unit-ruby-${{matrix.ruby }}-${{ matrix.gemfile }} | |
parallel: true | |
path-to-lcov: ./coverage/lcov/devise_auth0.lcov | |
finish: | |
needs: unit_test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Upload coverage to Coveralls | |
uses: coverallsapp/github-action@v2 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
parallel-finished: true | |
file: ./coverage/lcov/devise_auth0.lcov |