From dc10bd19becc8651b48eebba357f07d13c96f2bd Mon Sep 17 00:00:00 2001
From: Evan Sims <evan.sims@okta.com>
Date: Tue, 29 Aug 2023 03:17:04 -0500
Subject: [PATCH] test: Improvements to CI Workflows (#1128)

<!-- By submitting a PR to this repository, you agree to the terms
within the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).
Please see the [contributing
guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md)
for how to create and submit a high-quality PR for this repo. -->

### Changes

This pull request updates our continuous integration workflows. It (in
part) mirrors [improvements made to the Lock
repository](https://github.com/auth0/lock/pull/2438).

#### codeql.yml

- Updated `pull_request` type triggers to use a narrower scope (avoids
unnecessary runs) and apply to all branches.
- Updated `push` branch triggers to be more concise (uses the `v*`
wildcard.)
- Added concurrency check (cancels redundant in-progress runs.)
- Updated to skip unnecessary runs on Dependabot PRs and re-runs on
merge group queues.

#### publish.yml

- Fixed the `NODE_VERSION` environmental variable reference.

#### semgrep.yml

- Updated to skip unnecessary runs on Dependabot PRs and re-runs on
merge group queues.
- Updated name to use "Check for Vulnerabilities" for clarity in branch
protection filters.
- Added concurrency check (cancels redundant in-progress runs.)

#### snyk.yml

- Added workflow to trigger Snyk security checks.
We previously used webhooks to trigger these checks, but this method is
incompatible with GitHub's merge queue feature. This approach allows us
to use the feature, as well as to autonomously run checks on a set
schedule as we do in other repositories.

#### test.yml

- Moves the Codecov coverage upload step into the unit test step (fixes
coverage not being available during the build step.)

### References

Updates based on internal feedback and conversations.

### Testing

This pull request applies improvements to the continuous integration
testing for the repository but does not add additional tests.

### Checklist

- [x] I have read the [Auth0 general contribution
guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
- [x] I have read the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
- [x] All code quality tools/guidelines have been run/followed
---
 .github/workflows/codeql.yml  | 18 +++++++++++---
 .github/workflows/publish.yml |  3 +++
 .github/workflows/semgrep.yml | 12 ++++++---
 .github/workflows/snyk.yml    | 47 +++++++++++++++++++++++++++++++++++
 .github/workflows/test.yml    |  6 ++---
 5 files changed, 77 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/snyk.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 46f73bb77..a1ebd1045 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,10 +2,15 @@ name: CodeQL
 
 on:
   merge_group:
-  push:
-    branches: ['master', 'beta', 'v1']
   pull_request:
-    branches: ['master']
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+      - beta
+      - v*
   schedule:
     - cron: '56 12 * * 1'
 
@@ -14,6 +19,10 @@ permissions:
   contents: read
   security-events: write
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
   analyze:
     name: Analyze
@@ -25,6 +34,9 @@ jobs:
         language: [javascript]
 
     steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
       - name: Checkout
         uses: actions/checkout@v3
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e9fb8ef80..178996ea8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,6 +13,9 @@ permissions:
   contents: read
   packages: write
 
+env:
+  NODE_VERSION: 18
+
 jobs:
   publish-npm:
     name: 'NPM'
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index b96202dde..fb38c7658 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -15,25 +15,31 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
   authorize:
     name: Authorize
-    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
     runs-on: ubuntu-latest
     steps:
       - run: true
 
   run:
-    if: (github.actor != 'dependabot[bot]')
     needs: authorize # Require approval before running on forked pull requests
 
-    name: Run
+    name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
     container:
       image: returntocorp/semgrep
 
     steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
       - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
new file mode 100644
index 000000000..c05feffbf
--- /dev/null
+++ b/.github/workflows/snyk.yml
@@ -0,0 +1,47 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
+jobs:
+  authorize:
+    name: Authorize
+    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
+
+  check:
+    needs: authorize
+
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f60abf993..d619798a9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -59,9 +59,6 @@ jobs:
           path: .
           key: ${{ env.CACHE_KEY }}
 
-      - name: Upload coverage
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
-
   unit:
     needs: test
 
@@ -87,6 +84,9 @@ jobs:
       - name: Run tests
         run: npm run test -- --maxWorkers=2
 
+      - name: Upload coverage
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4
+
   browserstack:
     needs: test