GitHub Actions Workflows
Contents
GitHub Actions provide a great way to automate all parts of your development workflow. I often use the same workflows between open-source projects I work on. I’ve added the workflow configs below so feel free to copy and paste them to your projects.
CodeQL
CodeQL is GitHub’s code security checking engine and this action runs a repository’s source code to find security vulnerabilities. It then displays the results in the repository’s security tab.
Note: This is only available for public repositories (or private repositories that have GitHub Advanced Security licensed)Code snippet
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Dependency Review
This one scans your pull requests for dependency changes and will raise an error if any newly added dependencies have existing vulnerabilities.
Note: This is only available for public repositories (or private repositories that have GitHub Advanced Security licensed)Code snippet
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
cSpell (Spellcheck)
I’ve been happily using the VS Code extension
of this for many years. The GitHub Action workflow is good for helping catch typos from contributors at the pull request stage. I recommend adding a cspell.json
config to your projects root, adding any false-positives to the dictionary and checking it in to git.Code snippet
name: 'Check spelling'
on: # rebuild any PRs and main branch changes
pull_request:
branches-ignore:
- "dependabot/**"
permissions:
contents: read
jobs:
spellcheck: # run the action
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: streetsidesoftware/cspell-action@v1
with:
inline: warning
strict: false
incremental_files_only: true
Test
If you have a test script defined in your package.json
then you can set this to run on every PR.Code snippet
name: Lint
on:
push:
branches-ignore:
- "dependabot/**"
pull_request:
env:
FORCE_COLOR: 2
NODE: 16
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: "${{ env.NODE }}"
cache: npm
- name: Install npm dependencies
run: npm ci
- name: Lint
run: npm run lint
Super Linter
This project from the folks at GitHub bundles a huge number of linters. You can tweak the linting configs or disable linting for a particular type. I recommend including this even if you have a test GitHub Action as above as Super Linter can test for additional files such as GitHub Actions.Code snippet
name: Lint Code Base
on:
push:
branches-ignore:
- "dependabot/**"
permissions:
contents: read
jobs:
build:
name: Lint Code Base
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Lint Code Base
uses: github/super-linter/slim@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
JAVASCRIPT_DEFAULT_STYLE: prettier
VALIDATE_MARKDOWN: false
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Wrap up
I recommend to always keep a dependabot.yml
config file in your repo’s .github
directory with something like the below to ensure you get PRs to update to any new versions of GitHub Actions as they become available.
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: monthly
I personally like to have them set on a monthly schedule to cut down on noise but you can change that to daily or weekly.
You can do so much more with GitHub Actions - check the Advanced workflow features docs on GitHub for more ideas.