Conversation
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
from
766021c to
66e3ebd
Compare
✅ Semgrep Security Scan Passed🎉 No security issues found! View run |
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
from
66e3ebd to
80aedaa
Compare
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
from
0a319c0 to
89a2638
Compare
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
2 times, most recently
from
5657f62 to
5c1be5b
Compare
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
from
5c1be5b to
23c7548
Compare
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
2 times, most recently
from
b27a09b to
aac3911
Compare
sarasvoss
force-pushed
the
add-run-npm-ci-gha
branch
from
aac3911 to
eaebb9e
Compare
There was a problem hiding this comment.
Pull request overview
Adds a reusable GitHub Actions workflow for running common npm CI steps, and introduces two composite actions (audit-npm and run-npm-script) to standardize/DRY npm auditing and script execution across workflows.
Changes:
- Added reusable workflow
.github/workflows/run_npm_ci_scripts.ymlto run npm install/audit/build/lint/format/test with a job summary and gating. - Refactored internal push CI to call the new reusable workflow.
- Added composite actions
audit-npmandrun-npm-scriptwith initial documentation and changelogs.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/run_npm_ci_scripts.yml |
New reusable npm CI workflow (currently has working-directory + versioning/permissions issues). |
.github/workflows/internal_on_push_ci.yml |
Switches internal CI job to call the new reusable workflow. |
.github/actions/run-npm-script/action.yml |
New composite action to conditionally run an npm script and emit status. |
.github/actions/run-npm-script/README.md |
Documentation for run-npm-script (currently has input + version tag format mismatches). |
.github/actions/run-npm-script/CHANGELOG.md |
Initial changelog (currently uses an invalid version header format for this repo). |
.github/actions/audit-npm/action.yml |
New composite action to run/parse npm audit (currently not parameterized for working directory). |
.github/actions/audit-npm/README.md |
Documentation for audit-npm (currently has version tag format mismatch). |
.github/actions/audit-npm/CHANGELOG.md |
Initial changelog (currently uses an invalid version header format for this repo). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN }} | ||
| WORKING_DIRECTORY: ${{ inputs.working_directory }} |
There was a problem hiding this comment.
This reusable workflow uses secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN but does not declare it under on.workflow_call.secrets. In this repo, reusable workflows that need org secrets declare them explicitly (e.g. .github/workflows/deploy_feature_branch.yml).
Suggestion: add on.workflow_call.secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN (required: true) so callers can pass it reliably.
| id: build | ||
| uses: ./.github/actions/run-npm-script | ||
| with: | ||
| working-directory: '.' |
There was a problem hiding this comment.
The usage example sets working-directory, but the action input is working_directory (underscore) in action.yml. As written, the example won’t apply the input.
Suggestion: update the example to use working_directory.
| working-directory: '.' | |
| working_directory: '.' |
| This action uses namespaced tags for versioning and is tracked in the CHANGELOG. | ||
|
|
||
| ```text | ||
| action/run-npm-script/vX.Y.Z |
There was a problem hiding this comment.
The versioning section uses a tag format of action/.../vX.Y.Z, but this repo’s policy uses namespaced tags like actions/<component-name>/X.Y.Z (and changelog headings must be ## X.Y.Z).
Suggestion: update this section to match VERSIONING.md so consumers use the correct tag format.
| This action uses namespaced tags for versioning and is tracked in the CHANGELOG. | |
| ```text | |
| action/run-npm-script/vX.Y.Z | |
| This action uses namespaced tags for versioning and is tracked in the CHANGELOG under headings of the form `## X.Y.Z`. | |
| ```text | |
| actions/run-npm-script/X.Y.Z |
| working_directory: '.' | ||
| script: build | ||
|
|
||
| - name: Lint | ||
| uses: ./.github/actions/run-npm-script | ||
| id: lint | ||
| with: | ||
| working_directory: '.' | ||
| script: lint:check | ||
|
|
||
| - name: Format | ||
| uses: ./.github/actions/run-npm-script | ||
| id: format | ||
| with: | ||
| working_directory: '.' | ||
| script: format:check | ||
|
|
||
| - name: Test | ||
| uses: ./.github/actions/run-npm-script | ||
| id: test | ||
| with: | ||
| working_directory: '.' |
There was a problem hiding this comment.
run-npm-script is invoked with working_directory: '.', which ignores inputs.working_directory.
Suggestion: pass ${{ inputs.working_directory }} so tests run in the intended package directory.
| working_directory: '.' | |
| script: build | |
| - name: Lint | |
| uses: ./.github/actions/run-npm-script | |
| id: lint | |
| with: | |
| working_directory: '.' | |
| script: lint:check | |
| - name: Format | |
| uses: ./.github/actions/run-npm-script | |
| id: format | |
| with: | |
| working_directory: '.' | |
| script: format:check | |
| - name: Test | |
| uses: ./.github/actions/run-npm-script | |
| id: test | |
| with: | |
| working_directory: '.' | |
| working_directory: ${{ inputs.working_directory }} | |
| script: build | |
| - name: Lint | |
| uses: ./.github/actions/run-npm-script | |
| id: lint | |
| with: | |
| working_directory: ${{ inputs.working_directory }} | |
| script: lint:check | |
| - name: Format | |
| uses: ./.github/actions/run-npm-script | |
| id: format | |
| with: | |
| working_directory: ${{ inputs.working_directory }} | |
| script: format:check | |
| - name: Test | |
| uses: ./.github/actions/run-npm-script | |
| id: test | |
| with: | |
| working_directory: ${{ inputs.working_directory }} |
| - name: Change to working directory | ||
| run: | | ||
| echo "Changing to working directory: $WORKING_DIRECTORY" | ||
| cd "$WORKING_DIRECTORY" | ||
|
|
There was a problem hiding this comment.
The Change to working directory step won’t affect later steps (each step runs in a fresh shell), and it also runs before actions/checkout, so the target directory likely doesn’t exist yet. As a result, npm ci and the composite actions will execute from the repo root instead of inputs.working_directory.
Suggestion: remove this step and instead set defaults.run.working-directory: ${{ inputs.working_directory }} for run: steps (or add working-directory: on each run:), and pass ${{ inputs.working_directory }} through to the composite actions that need it.
| name: NPM CI | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: |
There was a problem hiding this comment.
Per VERSIONING.md, reusable workflows under .github/workflows are versioned and require an entry under .github/workflows/CHANGELOGS/<workflow-name>.md. This PR adds a new reusable workflow but does not add the corresponding workflow changelog, which will likely break automated version validation.
Suggestion: add the missing changelog file with a ## 1.0.0 entry (no v prefix).
|
|
||
| This action uses namespaced tags for versioning and is tracked in the CHANGELOG. | ||
|
|
||
| ```text | ||
| action/audit-npm/vX.Y.Z |
There was a problem hiding this comment.
The versioning section uses a tag format of action/.../vX.Y.Z, but this repo’s policy uses namespaced tags like actions/<component-name>/X.Y.Z and changelog headings must be ## X.Y.Z.
Suggestion: update this section to match VERSIONING.md so consumers use the correct tag format.
| working_directory: '.' | ||
| script: build | ||
|
|
||
| - name: Lint | ||
| uses: ./.github/actions/run-npm-script | ||
| id: lint | ||
| with: | ||
| working_directory: '.' | ||
| script: lint:check | ||
|
|
||
| - name: Format | ||
| uses: ./.github/actions/run-npm-script | ||
| id: format | ||
| with: | ||
| working_directory: '.' | ||
| script: format:check | ||
|
|
||
| - name: Test | ||
| uses: ./.github/actions/run-npm-script | ||
| id: test | ||
| with: | ||
| working_directory: '.' |
There was a problem hiding this comment.
run-npm-script is invoked with working_directory: '.', which ignores inputs.working_directory.
Suggestion: pass ${{ inputs.working_directory }} so lint runs in the intended package directory.
| working_directory: '.' | |
| script: build | |
| - name: Lint | |
| uses: ./.github/actions/run-npm-script | |
| id: lint | |
| with: | |
| working_directory: '.' | |
| script: lint:check | |
| - name: Format | |
| uses: ./.github/actions/run-npm-script | |
| id: format | |
| with: | |
| working_directory: '.' | |
| script: format:check | |
| - name: Test | |
| uses: ./.github/actions/run-npm-script | |
| id: test | |
| with: | |
| working_directory: '.' | |
| working_directory: ${{ inputs.working_directory }} | |
| script: build | |
| - name: Lint | |
| uses: ./.github/actions/run-npm-script | |
| id: lint | |
| with: | |
| working_directory: ${{ inputs.working_directory }} | |
| script: lint:check | |
| - name: Format | |
| uses: ./.github/actions/run-npm-script | |
| id: format | |
| with: | |
| working_directory: ${{ inputs.working_directory }} | |
| script: format:check | |
| - name: Test | |
| uses: ./.github/actions/run-npm-script | |
| id: test | |
| with: | |
| working_directory: ${{ inputs.working_directory }} |
|
|
||
| All notable changes to the **run-npm-script** action are documented in this file. | ||
|
|
||
| ## v1.0.0 |
There was a problem hiding this comment.
This changelog uses ## v1.0.0, but the repo’s version validation expects headings to be exactly ## X.Y.Z (no v prefix). Using v1.0.0 will cause automated version/changelog validation to fail.
Suggestion: change the heading to ## 1.0.0 and ensure the PR label matches that version format.
| ## v1.0.0 | |
| ## 1.0.0 |
|
|
||
| All notable changes to the **audit-npm** action are documented in this file. | ||
|
|
||
| ## v1.0.0 |
There was a problem hiding this comment.
This changelog uses ## v1.0.0, but the repo’s version validation expects headings to be exactly ## X.Y.Z (no v prefix). Using v1.0.0 will cause automated version/changelog validation to fail.
Suggestion: change the heading to ## 1.0.0 and ensure the PR label matches that version format.
| ## v1.0.0 | |
| ## 1.0.0 |
PR Summary
Jira: https://opensesame.atlassian.net/browse/CORE-XXXX
Description of Changes
Adding reusable GHA for running npm scripts for CI
Versioning
Versioned components live under
./github/actionsDoes this PR modify a versioned component?
version:untrackedversion:<component-name>/X.Y.ZCHANGELOG.mdincludes a## X.Y.Zentryversion:untrackedonly if changes do not alter behavior, inputs, or outputsIf version labels are incorrect or missing, automated version validation will fail and block merge.
Dependencies of PR
N/A
Testing
tested in internal_ GHA runs for this repo's CI