chore(deps): bump dompurify from 2.3.10 to 2.5.6 #4750
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Condo CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| DOCKER_IMAGE: condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }} | |
| DOCKER_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }} | |
| PG_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/postgres:13.2 | |
| REDIS_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/redis:6.2 | |
| REF: ${{ github.event.pull_request.head.sha || github.ref }} | |
| jobs: | |
| authorize: | |
| name: Authorize PR | |
| runs-on: ubuntu-latest | |
| environment: | |
| ${{ github.event_name == 'pull_request_target' && | |
| github.event.pull_request.head.repo.full_name != github.repository && | |
| 'external' || 'internal' }} | |
| outputs: | |
| ref: ${{ env.REF }} | |
| steps: | |
| - run: echo "PR is authorized to run CI jobs" | |
| build-image: | |
| name: Build Docker Image | |
| needs: authorize | |
| runs-on: test-pool-runners | |
| outputs: | |
| DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }} | |
| steps: | |
| - name: Prepare runner | |
| run: | | |
| sudo apt update && sudo apt install -y git | |
| - name: Set registry variables | |
| run: | | |
| echo "DOCKER_CACHE_FROM=type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:$( echo "${{github.ref_name}}" | sed 's/[^a-zA-Z0-9]/-/g' ) >> $GITHUB_ENV" | |
| echo "DOCKER_CACHE_TO=type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:$( echo "${{github.ref_name}}" | sed 's/[^a-zA-Z0-9]/-/g' ),mode=min,image-manifest=true" >> $GITHUB_ENV | |
| - name: Login to cloud registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.DOCKER_REGISTRY }} | |
| username: ${{ secrets.SBERCLOUD_CR_USERNAME }} | |
| password: ${{ secrets.SBERCLOUD_CR_PASSWORD }} | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }} | |
| ref: ${{ env.REF }} | |
| - name: Prune repo to filter out yarn.lock and package.json | |
| run: | | |
| bash bin/prune.sh | |
| - name: Setup context for Docker BuildX | |
| id: buildx-context | |
| run: | | |
| docker context create builders | |
| - name: Setup Docker BuildX | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| endpoint: builders | |
| driver-opts: | | |
| env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760 | |
| image=${{ secrets.DOCKER_REGISTRY }}/doma/utils/buildkit:buildx-stable-1 | |
| - name: Build repo image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| push: true | |
| tags: ${{ env.DOCKER_IMAGE_FULL }} | |
| build-args: | | |
| REGISTRY=${{ secrets.DOCKER_REGISTRY }}/doma/utils | |
| TURBO_TEAM=condo-ci | |
| TURBO_REMOTE_ONLY=true | |
| TURBO_TOKEN=${{ secrets.TURBO_TOKEN }} | |
| TURBO_API=${{ secrets.TURBO_API }} | |
| provenance: false | |
| cache-from: ${{ env.DOCKER_CACHE_FROM }} | |
| cache-to: ${{ env.DOCKER_CACHE_TO }} | |
| - name: Collect docker logs on failure | |
| if: failure() | |
| uses: jwalton/gh-docker-logs@v1 | |
| with: | |
| dest: './docker-logs' | |
| - name: Upload log artifact | |
| uses: actions/upload-artifact@v4 | |
| if: failure() | |
| with: | |
| name: logs | |
| path: | | |
| *.log | |
| ./docker-logs | |
| retention-days: 2 | |
| # SRC: https://how.wtf/run-workflow-step-or-job-based-on-file-changes-github-actions.html | |
| detect-changes: | |
| name: Define job list based on changed files | |
| needs: authorize | |
| runs-on: ubuntu-latest | |
| outputs: | |
| address-service: ${{ steps.detect-changes.outputs.address-service }} | |
| dev-api: ${{ steps.detect-changes.outputs.dev-api }} | |
| condorb: ${{ steps.detect-changes.outputs.condorb }} | |
| webhooks: ${{ steps.detect-changes.outputs.webhooks }} | |
| steps: | |
| - name: Checkout code with submodules | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }} | |
| ref: ${{ env.REF }} | |
| - name: Scan changed files | |
| uses: dorny/paths-filter@v3 | |
| id: detect-changes | |
| with: | |
| filters: | | |
| address-service: | |
| - 'apps/address-service/**' | |
| - 'packages/**' | |
| condorb: | |
| - 'apps/condorb' | |
| - 'packages/**' | |
| dev-api: | |
| - 'apps/dev-api/**' | |
| - 'apps/condo/domains/miniapp/**' | |
| - 'apps/condo/domains/user/**' | |
| - 'packages/**' | |
| webhooks: | |
| - 'packages/webhooks/**' | |
| lint: | |
| name: Lint source code | |
| needs: authorize | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code with submodules | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }} | |
| ref: ${{ env.REF }} | |
| - name: Prepare Node environment | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'yarn' | |
| - name: Install root dependencies | |
| run: | | |
| yarn workspaces focus root | |
| - name: Check JS code-style rules | |
| run: | | |
| yarn lint:code | |
| - name: Check styling rules | |
| run: | | |
| yarn lint:styles | |
| - name: Check translations rules | |
| run: | | |
| yarn lint:translations | |
| - name: Check common file patterns | |
| run: | | |
| bash ./bin/lint-common-patterns.sh | |
| # TODO(DOMA-7754): Figure out how to extract schema without starting KS-app (30sec for start per app is slow) and lint all apps | |
| security: | |
| name: Semgrep vulnerabilities check | |
| needs: authorize | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| # Skip any PR created by dependabot to avoid permission issues | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| # Fetch project source with GitHub Actions Checkout. | |
| - name: Checkout code with submodules | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }} | |
| ref: ${{ env.REF }} | |
| - run: ./bin/run-semgrep.sh -a | |
| run-address-service-tests: | |
| name: Address-Service Tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - authorize | |
| - build-image | |
| - detect-changes | |
| if: ${{ needs.detect-changes.outputs.address-service == 'true' }} | |
| steps: | |
| - name: Login to cloud registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.DOCKER_REGISTRY }} | |
| username: ${{ secrets.SBERCLOUD_CR_USERNAME }} | |
| password: ${{ secrets.SBERCLOUD_CR_PASSWORD }} | |
| - name: Setup PG db | |
| run: | | |
| docker run -e POSTGRES_USER=$POSTGRES_USER -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e POSTGRES_DB=$POSTGRES_DB -p="127.0.0.1:5432:5432" -d ${{ env.PG_IMAGE_FULL }} | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: main | |
| - name: Setup Redis db | |
| run: | | |
| docker run -p="127.0.0.1:6379:6379" -d ${{ env.REDIS_IMAGE_FULL }} | |
| - name: Run condo container with daemon | |
| run: | | |
| docker run --network="host" --name condo-container -dit ${{ env.DOCKER_IMAGE_FULL }} sh | |
| - name: Prepare apps | |
| run: | | |
| docker exec condo-container node bin/prepare.js -f address-service condo | |
| - name: Check migrations state | |
| run: | | |
| docker exec condo-container yarn workspace @app/address-service makemigrations --check | |
| - name: Run apps and tests | |
| run: | | |
| docker exec condo-container sh -c "(\ | |
| yarn workspace @app/address-service start & \ | |
| node bin/wait-apps-apis.js -f address-service) && \ | |
| yarn workspace @app/address-service test" | |
| run-condo-tests: | |
| name: Condo Tests | |
| needs: | |
| - authorize | |
| - build-image | |
| strategy: | |
| matrix: | |
| domain: | |
| - organization | |
| - user | |
| - scope | |
| - property | |
| - acquiring | |
| - billing | |
| - miniapp | |
| - banking | |
| - ticket | |
| - meter | |
| - contact | |
| - resident | |
| - notification | |
| - common | |
| - others | |
| uses: ./.github/workflows/_nodejs.condo.core.tests.yml | |
| with: | |
| domain_name: ${{ matrix.domain }} | |
| runs-on: runners-dind-set-cpu5-ram10 | |
| image_name: ${{ needs.build-image.outputs.DOCKER_IMAGE }} | |
| secrets: inherit | |
| run-condo-e2e-tests: | |
| name: Condo E2E Tests | |
| needs: authorize | |
| uses: ./.github/workflows/_nodejs.condo.cypress.yml | |
| with: | |
| ref: ${{ needs.authorize.outputs.ref }} | |
| secrets: inherit | |
| run-condorb-tests: | |
| name: CondoRB Tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - authorize | |
| - build-image | |
| - detect-changes | |
| if: ${{ needs.detect-changes.outputs.condorb == 'true' }} | |
| steps: | |
| - name: Login to cloud registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.DOCKER_REGISTRY }} | |
| username: ${{ secrets.SBERCLOUD_CR_USERNAME }} | |
| password: ${{ secrets.SBERCLOUD_CR_PASSWORD }} | |
| - name: Setup PG db | |
| run: | | |
| docker run -e POSTGRES_USER=$POSTGRES_USER -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e POSTGRES_DB=$POSTGRES_DB -p="127.0.0.1:5432:5432" -d ${{ env.PG_IMAGE_FULL }} | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: main | |
| - name: Setup Redis db | |
| run: | | |
| docker run -p="127.0.0.1:6379:6379" -d ${{ env.REDIS_IMAGE_FULL }} | |
| - name: Run condo container with daemon | |
| run: | | |
| docker run --network="host" --name condo-container -dit ${{ env.DOCKER_IMAGE_FULL }} sh | |
| - name: Prepare apps | |
| run: | | |
| docker exec condo-container node bin/prepare.js -f condo condorb | |
| - name: Check migrations state | |
| run: | | |
| docker exec condo-container yarn workspace @app/condorb makemigrations --check | |
| - name: Run apps and tests | |
| run: | | |
| docker exec condo-container sh -c "(\ | |
| yarn workspace @app/condo start & \ | |
| yarn workspace @app/condorb start & \ | |
| node bin/wait-apps-apis.js -f condo condorb) && \ | |
| yarn workspace @app/condorb test" | |
| run-dev-api-tests: | |
| name: DEV-API Tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - authorize | |
| - build-image | |
| - detect-changes | |
| if: ${{ needs.detect-changes.outputs.dev-api == 'true' }} | |
| steps: | |
| - name: Login to cloud registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.DOCKER_REGISTRY }} | |
| username: ${{ secrets.SBERCLOUD_CR_USERNAME }} | |
| password: ${{ secrets.SBERCLOUD_CR_PASSWORD }} | |
| - name: Setup PG db | |
| run: | | |
| docker run -e POSTGRES_USER=$POSTGRES_USER -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e POSTGRES_DB=$POSTGRES_DB -p="127.0.0.1:5432:5432" -d ${{ env.PG_IMAGE_FULL }} | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: main | |
| - name: Setup Redis db | |
| run: | | |
| docker run -p="127.0.0.1:6379:6379" -d ${{ env.REDIS_IMAGE_FULL }} | |
| - name: Run condo container with daemon | |
| run: | | |
| docker run --network="host" --name condo-container -dit ${{ env.DOCKER_IMAGE_FULL }} sh | |
| - name: Prepare apps | |
| run: | | |
| docker exec condo-container node bin/prepare.js -f condo dev-api | |
| - name: Check migrations state | |
| run: | | |
| docker exec condo-container yarn workspace @app/dev-api makemigrations --check | |
| - name: Run apps and tests | |
| run: | | |
| docker exec condo-container sh -c "(\ | |
| yarn workspace @app/condo start & \ | |
| yarn workspace @app/dev-api start & \ | |
| node bin/wait-apps-apis.js -f condo dev-api) && \ | |
| yarn workspace @app/dev-api test" | |
| run-webhooks-tests: | |
| name: Webhooks Tests | |
| runs-on: ubuntu-latest | |
| needs: | |
| - authorize | |
| - detect-changes | |
| if: ${{ needs.detect-changes.outputs.webhooks == 'true' }} | |
| steps: | |
| - name: Checkout code with submodules | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }} | |
| ref: ${{ env.REF }} | |
| - name: Install packages | |
| run: | | |
| npm i -g turbo | |
| yarn install --immutable | |
| - name: Test webhooks utils | |
| run: yarn workspace @open-condo/webhooks jest |