Update workflows based on graphql-voyager's

Author: IvanGoncharov

.github/workflows/ci.yml

@@ -1,33 +1,138 @@
 name: CI
-on: [push, pull_request]
+on: workflow_call
+permissions: {}
 jobs:
   lint:
     name: Lint source files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v1
-
-      - name: Cache Node.js modules
-        uses: actions/cache@v2
+        uses: actions/setup-node@v3
         with:
-          path: ~/.npm
-          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.OS }}-node-
+          cache: npm
+          node-version-file: '.node-version'
 
       - name: Install Dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
+
+      - name: Lint ESLint
+        run: npm run lint
 
       - name: Check Types
         run: npm run check
 
       - name: Lint Prettier
         run: npm run prettier:check
 
-      - name: Build package
-        run: npm run build:all
-        shell: bash
+      - name: Spellcheck
+        run: npm run check:spelling
+
+      - name: Lint GitHub Actions
+        uses: docker://rhysd/actionlint:latest
+        with:
+          args: -color
+
+  checkForCommonlyIgnoredFiles:
+    name: Check for commonly ignored files
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Check if commit contains files that should be ignored
+        run: |
+          git clone --depth 1 https://github.com/github/gitignore.git
+
+          rm gitignore/Global/ModelSim.gitignore
+          rm gitignore/Global/Images.gitignore
+          rm gitignore/Global/VirtualEnv.gitignore
+          cat gitignore/Node.gitignore gitignore/Global/*.gitignore > all.gitignore
+
+          IGNORED_FILES=$(git ls-files --cached --ignored --exclude-from=all.gitignore)
+          if  [[ "$IGNORED_FILES" != "" ]]; then
+            echo -e "::error::Please remove these files:\n$IGNORED_FILES" | sed -z 's/\n/%0A/g'
+            exit 1
+          fi
+
+  checkPackageLock:
+    name: Check health of package-lock.json file
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: npm
+          node-version-file: '.node-version'
+
+      - name: Install Dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Check that package-lock.json doesn't have conflicts
+        run: npm ls --depth 999
+
+      - name: Run npm install
+        run: npm install --ignore-scripts --force --package-lock-only --engine-strict --strict-peer-deps
+
+      - name: Check that package-lock.json is in sync with package.json
+        run: git diff --exit-code package-lock.json
+
+  codeql:
+    name: Run CodeQL security scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write # for codeql-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: 'javascript, typescript'
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v2
+
+  buildRelease:
+    name: Build release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: npm
+          node-version-file: '.node-version'
+
+      - name: Install Dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Build release
+        run: npm run build

.github/workflows/pull_request.yml

@@ -0,0 +1,23 @@
+name: PullRequest
+on: pull_request
+permissions: {}
+jobs:
+  ci:
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write # for codeql-action
+    uses: ./.github/workflows/ci.yml
+
+  dependency-review:
+    name: Security check of added dependencies
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v2

.github/workflows/push.yml

@@ -0,0 +1,9 @@
+name: Push
+on: push
+permissions: {}
+jobs:
+  ci:
+    permissions:
+      contents: read # for actions/checkout
+      security-events: write # for codeql-action
+    uses: ./.github/workflows/ci.yml

.node-version

@@ -0,0 +1 @@
+v19

README.md

@@ -101,6 +101,6 @@ Because the process is running inside of the container, `--open` does not work.
 
 ```sh
 npm i
-npm run build:all
+npm run build
 npm run start
 ```

package.json

@@ -31,7 +31,7 @@
     "build:typescript": "tsc",
     "copy:graphql": "cp src/*.graphql dist/",
     "copy:editor": "mkdir \"dist/editor\" && cp src/editor/*.html dist/editor && cp src/editor/*.js dist/editor && cp src/editor/*.css dist/editor && cp src/editor/*.svg dist/editor",
-    "build:all": "rm -rf dist && mkdir dist && npm run build:editor && npm run build:typescript && npm run copy:graphql && npm run copy:editor",
+    "build": "rm -rf dist && mkdir dist && npm run build:editor && npm run build:typescript && npm run copy:graphql && npm run copy:editor",
     "prettier": "prettier --cache --ignore-path .gitignore --write --list-different .",
     "prettier:check": "prettier --cache --ignore-path .gitignore --check .",
     "check:spelling": "cspell --cache --no-progress '**/*'"