Skip to content

Add security.txt to CODEOWNERS #9722

Add security.txt to CODEOWNERS

Add security.txt to CODEOWNERS #9722

Workflow file for this run

# Security Notes
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.
name: Build
on:
push:
branches:
- main
pull_request:
branches:
- main
types: [opened, synchronize, reopened, ready_for_review]
merge_group:
defaults:
run:
# This ensures that the working directory is the root of the repository
working-directory: ./
permissions:
contents: read
actions: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
build:
name: Build on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
steps:
- uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f
with:
pnpm: true
use-version-file: true
- name: Use GNU tar instead BSD tar
# This ensures that we use GNU `tar` which is more efficient for extracting caches's
if: matrix.os == 'windows-latest'
shell: cmd
run: echo C:\Program Files\Git\usr\bin>>"%GITHUB_PATH%"
- uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ${{ github.workspace }}/apps/site/.next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }}
restore-keys: ${{ runner.os }}-nextjs-${{ hashFiles('**/pnpm-lock.yaml') }}-
- name: Build Next.js
# We want a ISR build on CI to ensure that regular Next.js builds work as expected.
run: node_modules/.bin/turbo build --cache-dir=.turbo/cache
env:
# We want to ensure we have enough RAM allocated to the Node.js process
# this should be a last resort in case by any chances the build memory gets too high
# but in general this should never happen
NODE_OPTIONS: '--max_old_space_size=4096'
# See https://github.com/vercel/next.js/pull/90949
TURBOPACK_STATS: ${{ matrix.os == 'ubuntu-latest' }}
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: matrix.os == 'ubuntu-latest'
with:
name: webpack-stats
path: apps/site/.next/diagnostics/route-bundle-stats.json
- name: Build Next.js (Static Export)
# We want to generate a static build, as it is a requirement of our website.
run: node_modules/.bin/turbo deploy --cache-dir=.turbo/cache
env:
# We want to ensure we have enough RAM allocated to the Node.js process
# this should be a last resort in case by any chances the build memory gets too high
# but in general this should never happen
NODE_OPTIONS: '--max_old_space_size=4096'
# We want to ensure that static exports for all locales do not occur on `pull_request` events
# TODO: The output of this is too large, and it crashes the GitHub Runner
NEXT_PUBLIC_STATIC_EXPORT_LOCALE: false # ${{ github.event_name == 'push' }}
compare-bundle-size:
name: Compare Bundle Size
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'pull_request'
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Git Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Download Stats (HEAD)
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: webpack-stats
path: head-stats
- name: Get Run ID from BASE
id: base-run
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
GH_TOKEN: ${{ github.token }}
run: |
ID=$(gh run list -c "$BASE_SHA" -w build.yml -s success -L 1 --json databaseId --jq ".[].databaseId")
echo "run_id=$ID" >> "$GITHUB_OUTPUT"
- name: Download Stats (BASE)
id: base-stats
continue-on-error: true
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: webpack-stats
path: base-stats
run-id: ${{ steps.base-run.outputs.run_id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Compare Bundle Size
id: compare-bundle-size
if: steps.base-stats.outcome == 'success'
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
HEAD_STATS_PATH: ./head-stats/route-bundle-stats.json
BASE_STATS_PATH: ./base-stats/route-bundle-stats.json
with:
script: |
const { compare } = await import('${{github.workspace}}/apps/site/scripts/compare-size/index.mjs')
await compare({core})
- name: Prepare Comment
if: steps.base-stats.outcome == 'success'
env:
COMMENT: ${{ steps.compare-bundle-size.outputs.comment }}
run: |
mkdir -p pr-comment
printf '%s' "$COMMENT" > pr-comment/comment.md
printf '%s' 'compare_bundle_size' > pr-comment/tag.txt
- name: Upload Comment
if: steps.base-stats.outcome == 'success'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: pr-comment
path: pr-comment/