refactor: restructure for better testing, and improved image size

Author: ahmadnassri

.env

@@ -0,0 +1,9 @@
+GITHUB_EVENT_NAME=push
+GITHUB_EVENT_PATH=test/fixtures/payload.json
+GITHUB_REPOSITORY=ahmadnassri/action-workflow-queue
+GITHUB_WORKSPACE=/github/workspace
+
+INPUT_GITHUB-TOKEN=$GITHUB_TOKEN
+INPUT_DELAY=1000
+INPUT_TIMEOUT=1000
+INPUT_TOKEN=$GITHUB_TOKEN

.github/linters/.checkov.yml

@@ -5,6 +5,7 @@
 quiet: true
 skip-check:
   - CKV_DOCKER_2
+  - CKV_DOCKER_8
   - CKV_GHA_3
   - BC_DKR_3
   - CKV_GIT_1

.github/linters/.grype.yaml

@@ -0,0 +1,3 @@
+check-for-app-update: false
+exclude:
+  - '**/package-lock.json'

.github/linters/.lychee.toml

@@ -0,0 +1 @@
+exclude_path = [".github"]

.github/linters/.mega-linter.yml

@@ -11,6 +11,7 @@ DISABLE_LINTERS:
   - JSON_PRETTIER
   - YAML_PRETTIER
   - JAVASCRIPT_PRETTIER
+  - REPOSITORY_DEVSKIM # temporarily disabled
 
 LOG_LEVEL: INFO
 PRINT_ALPACA: false
@@ -19,7 +20,7 @@ SHOW_ELAPSED_TIME: true
 FLAVOR_SUGGESTIONS: false
 VALIDATE_ALL_CODEBASE: false
 IGNORE_GENERATED_FILES: true
-FILTER_REGEX_EXCLUDE: (dist/*|README.md|test/fixtures/*|vendor/*|/schemas/*)
+FILTER_REGEX_EXCLUDE: (dist/*|README.md|test/fixtures/*|vendor/*|/schemas/*|coverage/*|.nyc_output/*)
 
 MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdown-lint.yml
 REPOSITORY_CHECKOV_ARGUMENTS: [--skip-path, schemas]

.github/workflows/pull_request_target.yml

@@ -10,9 +10,8 @@ permissions: read-all
 
 jobs:
   main:
-    uses: ahmadnassri/actions/.github/workflows/pull-request-target-template.yml@master
-    secrets:
-      github-token: ${{ secrets.GH_TOKEN }}
+    uses: ahmadnassri/actions/.github/workflows/pull-request-target.yml@master
+    secrets: inherit
     permissions:
       contents: write
       pull-requests: write

.github/workflows/push.yml

@@ -2,198 +2,20 @@
 # Note: this file originates in template-action-docker #
 # ---------------------------------------------------- #
 
+name: push
+
 on:
   - push
   - workflow_dispatch
 
-name: push
-
-concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
-
 permissions: read-all
 
 jobs:
-  metadata:
-    runs-on: ubuntu-latest
-
-    outputs:
-      image-name: ${{ steps.image.outputs.name }}
-      repository_is_template: ${{ steps.metadata.outputs.repository_is_template }}
-      repository_default_branch: ${{ steps.metadata.outputs.repository_default_branch }}
-
-    steps:
-      - uses: actions/[email protected]
-
-      - id: metadata
-        uses: ahmadnassri/[email protected]
-
-      - id: image
-        run: echo "name=$(basename "${GITHUB_REPOSITORY/docker-//}")" >> "$GITHUB_OUTPUT"
-
-  commit-lint:
-    timeout-minutes: 5
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/[email protected]
-
-      - uses: ahmadnassri/[email protected]
-        with:
-          config: .github/linters/.commit-lint.yml
-
-  mega-linter:
-    timeout-minutes: 5
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/[email protected]
-
-      - uses: oxsecurity/megalinter/flavors/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          MEGALINTER_CONFIG: .github/linters/.mega-linter.yml
-          GITHUB_COMMENT_REPORTER: true
-          GITHUB_STATUS_REPORTER: true
-
-      - uses: actions/upload-artifact@v3
-        if: ${{ success() }} || ${{ failure() }}
-        with:
-          name: mega-linter-reports
-          path: |
-            megalinter-reports
-            mega-linter.log
-
-  release:
-    needs:
-      - metadata
-      - commit-lint
-      - mega-linter
-
-    # only runs on main branch for non template repos
-    if: |
-      needs.metadata.outputs.repository_is_template == 'false' &&
-      needs.metadata.outputs.repository_default_branch == github.ref_name
-
-    timeout-minutes: 5
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-      packages: write
-
-    outputs:
-      published: ${{ steps.release.outputs.published }}
-      version: ${{ steps.release.outputs.release-version }}
-      version-major: ${{ steps.release.outputs.release-version-major }}
-      version-minor: ${{ steps.release.outputs.release-version-minor }}
-
-    steps:
-      - uses: actions/[email protected]
-        with:
-          submodules: true
-
-      - id: release
-        uses: ahmadnassri/[email protected]
-        with:
-          config: ${{ github.workspace }}/.semantic.json
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-
-  publish-docker:
-    needs:
-      - release
-      - metadata
-
-    timeout-minutes: 5
-
-    if: ${{ needs.release.outputs.published == 'true' }}
-
-    name: publish to ghcr.io
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - uses: actions/[email protected]
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-
-      # login to registry
-      - uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
-
-      # publish
-      - uses: docker/build-push-action@v4
-        with:
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            ghcr.io/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:latest
-            ghcr.io/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:${{ needs.release.outputs.version-major }}
-            ghcr.io/${{ github.repository_owner }}/${{ needs.metadata.outputs.image-name }}:${{ needs.release.outputs.version }}
-          labels: |
-            org.opencontainers.image.title=${{ needs.metadata.outputs.image-name }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.version=${{ needs.release.outputs.version }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-
-  alias:
-    needs: release
-
-    if: ${{ needs.release.outputs.published == 'true' }}
-
-    runs-on: ubuntu-latest
-
+  main:
+    uses: ahmadnassri/actions/.github/workflows/push-action-docker.yml@master
+    secrets: inherit
     permissions:
       contents: write
+      statuses: write
       packages: write
-
-    strategy:
-      matrix:
-        release: [ "v${{ needs.release.outputs.version }}" ]
-        alias:
-          - "v${{ needs.release.outputs.version-major }}"
-          - "v${{ needs.release.outputs.version-major }}.${{ needs.release.outputs.version-minor }}"
-
-    steps:
-      - uses: actions/github-script@v6
-        with:
-          script: |
-            const { data: { object: { sha } } } = await github.rest.git.getRef({ ...context.repo, ref: 'tags/${{ matrix.release }}' })
-            await github.rest.git.deleteRef({ ...context.repo, ref: 'tags/${{ matrix.alias }}' }).catch(() => {})
-            await github.rest.git.createRef({ ...context.repo, ref: 'refs/tags/${{ matrix.alias }}', sha })
-
-  template-sync:
-    timeout-minutes: 5
-
-    needs:
-      - metadata
-      - commit-lint
-      - mega-linter
-
-    # only runs on main branch for template repos
-    if: |
-      needs.metadata.outputs.repository_is_template == 'true' &&
-      needs.metadata.outputs.repository_default_branch == github.ref_name
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/[email protected]
-
-      - uses: ahmadnassri/[email protected]
-        with:
-          github-token: ${{ secrets.GH_TOKEN }}
+      pull-requests: write

.gitignore

@@ -1,3 +1,8 @@
 # ---------------------------------------------------- #
 # Note: this file originates in template-action-docker #
 # ---------------------------------------------------- #
+
+*.log
+.nyc_output
+coverage
+node_modules

Dockerfile

@@ -1,16 +1,48 @@
-FROM node:slim
+# --- base stage --- #
 
-LABEL com.github.actions.name="GitHub Action: Workflow Run Wait" \
-      com.github.actions.description="wait for all `workflow_run` required workflows to be successful" \
-      com.github.actions.icon="clock" \
-      com.github.actions.color="blue" \
-      maintainer="Ahmad Nassri <[email protected]>"
+FROM alpine:3.18 AS base
+
+# hadolint ignore=DL3018
+RUN apk add --no-cache --update \
+  nodejs=18.17.0-r0 \
+  git=2.40.1-r0 \
+  openssh=9.3_p2-r0 \
+  ca-certificates=20230506-r0 \
+  ruby-bundler=2.4.15-r0 \
+  bash=5.2.15-r5
 
-RUN mkdir /action
 WORKDIR /action
 
-COPY action ./
+# --- build stage --- #
+
+FROM base AS build
+
+# hadolint ignore=DL3018
+RUN apk add --no-cache npm=9.6.6-r0
+
+# slience npm
+# hadolint ignore=DL3059
+RUN npm config set update-notifier=false audit=false fund=false
+
+# install packages
+COPY package* ./
+RUN npm ci --omit=dev --no-fund --no-audit
+
+# --- app stage --- #
+
+FROM base AS app
+
+# copy from build image
+COPY --from=build /action/node_modules ./node_modules
+
+# copy files
+COPY package.json src ./
+
+WORKDIR /github/workspace/
+
+# hadolint ignore=DL3002
+USER root
 
-RUN npm ci --only=prod
+HEALTHCHECK NONE
 
 ENTRYPOINT ["node", "/action/index.js"]

Makefile

@@ -4,8 +4,6 @@
 # Note: this file originates in template-action-docker #
 # ---------------------------------------------------- #
 
-SHELL := /bin/bash
-
 pull: ## pull latest containers
 	@docker compose pull
 
@@ -15,15 +13,33 @@ lint: clean ## run mega-linter
 readme: clean ## run readme action
 	@docker compose run --rm readme
 
-start: ## start the project in foreground
-	@docker compose run $(shell env | grep DOCKER | sed -E 's/DOCKER_(.*?)=(.*)/-e \1="\2"/gm;t;d') app
-
 build: clean ## start the project in background
 	@docker compose build --no-cache app
 
 shell: ## start the container shell
 	@docker compose run --rm --entrypoint /bin/sh app
 
+install: ## install all dependencies
+	@docker compose run --rm app install
+
+start: ## start the project in foreground
+	@docker compose run --rm app
+
+test: ## run all npm tests
+	@docker compose run --rm app-test
+
+build-action: clean ## start the project in background
+	@docker compose build --no-cache action
+
+shell-action: ## start the container shell
+	@docker compose run --rm --entrypoint /bin/sh action
+
+start-action: ## start the project in foreground
+	@docker compose run --rm action
+
+test-action: ## start the project in foreground
+	@docker compose run --rm action-test
+
 stop: ## stop all running containers
 	@docker compose down --remove-orphans --rmi local