ci: updated github actions ci workflow by Phillip9587 · Pull Request #6314 · expressjs/express
Navigation Menu
- Notifications You must be signed in to change notification settings
- Fork 22.6k
Comments
Conversation
I noticed that the current CI workflow in this repository could benefit from some updates. Specifically:
-
Deprecation of Artifact Actions v3:
- The
actions/upload-artifact@v3andactions/download-artifact@v3actions are being deprecated as of November 30, 2024 (GitHub Deprecation Notice). - These actions should be updated to their latest versions to ensure continued functionality in the CI workflow.
- CI Runs are currently failing like in PR chore(deps): update
debugto ^4.4.0 #6313
- The
-
The Coverage setup could also be optimized:
- Currently, the workflow uses the
coverallsapp/github-action@masterwhich points to v1 of this action. This v1 action usesnode16as runtime which is deprecated.
- Currently, the workflow uses the
-
Minimum token permissions for the GITHUB_TOKEN:
- GitHub Actions workflows have a GITHUB_TOKEN with write access to multiple scopes.
- It is a best practice to reduce the scopes to the minimum needed for each workflow / step.
- GitHub recommends defining minimum GITHUB_TOKEN permissions. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
- The Open Source Security Foundation (OpenSSF) Scorecards also treats not setting token permissions as a high-risk issue. This change will help increase the Scorecard score for this repository.
-
lint step install only dev dependencies
- the
lintstep currently tries to install only the dev dependencies with the--only=devcli argument.--only=devhas been replaced with--include=devsince npm v7. https://docs.npmjs.com/cli/v11/commands/npm-install#include
- the
I will merge this PR as currently has a fix for our broken CI (example)
@Phillip9587 do you mind to port this to 4.x branch too? Seems like the CI is broken too (ref) :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
