nodejs/node
37 workflows · maturity 83% · 12 patterns · GitHub ↗
Practices
✓ Matrix✓ Permissions✓ Security scan○ AI review✓ Cache✓ Concurrency○ Reusable workflows
Detected patterns
Security dimensions
Tools: github/codeql-action/analyze, github/codeql-action/autobuild, github/codeql-action/init, github/codeql-action/upload-sarif, ossf/scorecard-action
Workflows (37)
auto-start-ci perms .github/workflows/auto-start-ci.yml
View raw YAML
name: Auto Start CI
on:
schedule:
# Runs every five minutes (fastest the scheduler can run). Five minutes is
# optimistic, it can take longer to run.
# To understand why `schedule` is used instead of other events, refer to
# ./doc/contributing/commit-queue.md
- cron: '*/5 * * * *'
concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
get-prs-for-ci:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
outputs:
numbers: ${{ steps.get_prs_for_ci.outputs.numbers }}
steps:
- name: Get Pull Requests
id: get_prs_for_ci
run: >
numbers=$(gh pr list \
--repo ${{ github.repository }} \
--label 'request-ci' \
--json 'number' \
-t '{{ range . }}{{ .number }} {{ end }}' \
--limit 5)
echo "numbers=$numbers" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
start-ci:
permissions:
contents: read
pull-requests: write
needs: get-prs-for-ci
if: needs.get-prs-for-ci.outputs.numbers != ''
runs-on: ubuntu-slim
steps:
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install @node-core/utils
run: npm install -g @node-core/utils
- name: Setup @node-core/utils
run: |
ncu-config set username "$USERNAME"
ncu-config set token "$GH_TOKEN"
ncu-config set jenkins_token "$JENKINS_TOKEN"
ncu-config set owner "$GITHUB_REPOSITORY_OWNER"
ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
env:
USERNAME: ${{ secrets.JENKINS_USER }}
GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
- name: Start the CI
run: |
curl -fsSL "https://github.com/${GITHUB_REPOSITORY}/raw/${GITHUB_SHA}/tools/actions/start-ci.sh" \
| sh -s -- ${{ needs.get-prs-for-ci.outputs.numbers }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
build-tarball perms .github/workflows/build-tarball.yml
View raw YAML
name: Build from tarball
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/build-tarball.yml'
push:
branches:
- main
- v[0-9]+.x-staging
- v[0-9]+.x
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/build-tarball.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
CLANG_VERSION: '19'
permissions:
contents: read
jobs:
build-tarball:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
- name: Make tarball
run: |
export DISTTYPE=nightly
export DATESTRING=$(date "+%Y-%m-%d")
export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA")
./configure && make tar -j4 SKIP_XZ=1
- name: Upload tarball artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: tarballs
path: '*.tar.gz'
compression-level: 0
test-tarball-linux:
needs: build-tarball
runs-on: ubuntu-24.04-arm
env:
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: .github/actions/install-clang
sparse-checkout-cone-mode: false
- name: Install Clang ${{ env.CLANG_VERSION }}
uses: ./.github/actions/install-clang
with:
clang-version: ${{ env.CLANG_VERSION }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
- name: Download tarball
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
name: tarballs
path: tarballs
- name: Extract tarball
run: |
tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
- name: Build
run: make -C "$TAR_DIR" build-ci -j4 V=1
- name: Test
run: make -C "$TAR_DIR" test-ci -j1 V=1 TEST_CI_ARGS="-p dots --measure-flakiness 9"
close-stale-feature-requests perms .github/workflows/close-stale-feature-requests.yml
View raw YAML
name: Close stale feature requests
on:
workflow_dispatch:
schedule:
# Run every day at 1:00 AM UTC.
- cron: 0 1 * * *
# yamllint disable rule:empty-lines
env:
CLOSE_MESSAGE: >
There has been no activity on this feature request
and it is being closed. If you feel closing this issue is not the
right thing to do, please leave a comment.
For more information on how the project manages
feature requests, please consult the
[feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
WARN_MESSAGE: >
There has been no activity on this feature request for
5 months. To help maintain relevant open issues, please
add the https://github.com/nodejs/node/labels/never-stale
label or close this issue if it should be closed. If not,
the issue will be automatically closed 6 months after the
last non-automated comment.
For more information on how the project manages
feature requests, please consult the
[feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
# yamllint enable
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
days-before-stale: 180
days-before-close: 30
stale-issue-label: stale
close-issue-message: ${{ env.CLOSE_MESSAGE }}
stale-issue-message: ${{ env.WARN_MESSAGE }}
only-labels: feature request
exempt-issue-labels: never-stale
# max requests it will send per run to the GitHub API before it deliberately exits to avoid hitting API rate limits
operations-per-run: 500
remove-stale-when-updated: true
close-stale-pull-requests perms .github/workflows/close-stale-pull-requests.yml
View raw YAML
name: Close stale pull requests
on:
workflow_dispatch:
inputs:
endDate:
description: stop processing PRs after this date
required: false
type: string
# yamllint disable rule:empty-lines
env:
CLOSE_MESSAGE: >
This pull request was opened more than a year ago and there has
been no activity in the last 6 months. We value your contribution
but since it has not progressed in the last 6 months it is being
closed. If you feel closing this pull request is not the right thing
to do, please leave a comment.
WARN_MESSAGE: >
This pull request was opened more than a year ago and there has
been no activity in the last 5 months. We value your contribution
but since it has not progressed in the last 5 months it is being
marked stale and will be closed if there is no progress in the
next month. If you feel that is not the right thing to do please
comment on the pull request.
# yamllint enable
permissions:
contents: read
jobs:
stale:
permissions:
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- name: Set default end date which is 1 year ago
run: echo "END_DATE=$(date --date='525600 minutes ago' --rfc-2822)" >> "$GITHUB_ENV"
- name: if date set in event override the default end date
env:
END_DATE_INPUT_VALUE: ${{ github.event.inputs.endDate }}
if: ${{ github.event.inputs.endDate != '' }}
run: echo "END_DATE=$END_DATE_INPUT_VALUE" >> "$GITHUB_ENV"
- uses: mhdawson/stale@453d6581568dc43dbe345757f24408d7b451c651 # PR to add support for endDate
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
end-date: ${{ env.END_DATE }}
days-before-issue-stale: -1
days-before-issue-close: -1
days-before-stale: 150
days-before-close: 30
stale-issue-label: stale
close-issue-message: ${{ env.CLOSE_MESSAGE }}
stale-issue-message: ${{ env.WARN_MESSAGE }}
exempt-pr-labels: never-stale
# max requests it will send per run to the GitHub API before it deliberately exits to avoid hitting API rate limits
operations-per-run: 500
remove-stale-when-updated: true
close-stalled perms .github/workflows/close-stalled.yml
View raw YAML
name: Close stalled issues and PRs
on:
schedule:
- cron: 0 0 * * *
env:
CLOSE_MESSAGE: >
Closing this because it has stalled. Feel free to reopen if this issue/PR
is still relevant, or to ping the collaborator who labelled it stalled if
you have any questions.
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
days-before-close: 30
stale-pr-label: stalled
stale-issue-label: stalled
close-issue-message: ${{ env.CLOSE_MESSAGE }}
close-pr-message: ${{ env.CLOSE_MESSAGE }}
# used to filter issues to check whether or not should be closed, avoids hitting maximum operations allowed if needing to paginate through all open issues
only-labels: stalled
# max requests it will send per run to the GitHub API before it deliberately exits to avoid hitting API rate limits
operations-per-run: 500
# deactivates automatic stale labelling as we prefer to do that manually
days-before-stale: -1
codeql matrix perms security .github/workflows/codeql.yml
View raw YAML
name: Run CodeQL
on:
schedule:
- cron: 0 0 * * *
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-slim
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [cpp, javascript, python]
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
category: /language:${{matrix.language}}
comment-labeled perms .github/workflows/comment-labeled.yml
View raw YAML
name: Comment on issues and PRs when labeled
on:
issues:
types: [labeled]
pull_request_target:
types: [labeled]
env:
STALE_MESSAGE: >
This issue/PR was marked as stalled, it will be automatically closed in 30 days.
If it should remain open, please leave a comment explaining why it should remain open.
FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
NOTABLE_CHANGE_MESSAGE: |
The https://github.com/nodejs/node/labels/notable-change label has been added by @${{ github.actor }}.
Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the _Other Notable Changes_ section.
permissions:
contents: read
jobs:
stale-comment:
permissions:
issues: write
pull-requests: write
if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
runs-on: ubuntu-slim
steps:
- name: Post stalled comment
env:
NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
fast-track:
permissions:
pull-requests: write
if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
runs-on: ubuntu-slim
steps:
- name: Request Fast-Track
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "$FAST_TRACK_MESSAGE"
notable-change:
permissions:
pull-requests: write
if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'notable-change'
runs-on: ubuntu-slim
steps:
- name: Add notable change description
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "$NOTABLE_CHANGE_MESSAGE"
commit-lint perms .github/workflows/commit-lint.yml
View raw YAML
name: First commit message adheres to guidelines
on: [pull_request]
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
lint-commit-message:
runs-on: ubuntu-slim
steps:
- name: Compute number of commits in the PR
id: nb-of-commits
run: |
echo "plusOne=$((${{ github.event.pull_request.commits }} + 1))" >> $GITHUB_OUTPUT
echo "minusOne=$((${{ github.event.pull_request.commits }} - 1))" >> $GITHUB_OUTPUT
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: ${{ steps.nb-of-commits.outputs.plusOne }}
persist-credentials: false
- run: git reset HEAD^2
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Validate commit message
run: |
echo "::add-matcher::.github/workflows/commit-lint-problem-matcher.json"
git rev-parse HEAD~${{ steps.nb-of-commits.outputs.minusOne }} | xargs npx -q core-validate-commit --no-validate-metadata --tap
commit-queue perms .github/workflows/commit-queue.yml
View raw YAML
# This action requires the following secrets to be set on the repository:
# GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
# JENKINS_USER: GitHub user whose Jenkins token is defined below
# JENKINS_TOKEN: Jenkins token, to be used to check CI status
name: Commit Queue
on:
# `schedule` event is used instead of `pull_request` because when a
# `pull_request` event is triggered on a PR from a fork, GITHUB_TOKEN will
# be read-only, and the Action won't have access to any other repository
# secrets, which it needs to access Jenkins API.
schedule:
- cron: '*/5 * * * *'
concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
get_mergeable_prs:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
outputs:
numbers: ${{ steps.get_mergeable_prs.outputs.numbers }}
steps:
- name: Get Pull Requests
id: get_mergeable_prs
run: |
prs=$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--base "$GITHUB_REF_NAME" \
--label 'commit-queue' \
--json 'number' \
--search "created:<=$(date --date="2 days ago" +"%Y-%m-%dT%H:%M:%S%z") -label:blocked" \
-t '{{ range . }}{{ .number }} {{ end }}' \
--limit 100)
fast_track_prs=$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--base "$GITHUB_REF_NAME" \
--label 'commit-queue' \
--label 'fast-track' \
--search "-label:blocked" \
--json 'number' \
-t '{{ range . }}{{ .number }} {{ end }}' \
--limit 100)
numbers=$(echo $prs' '$fast_track_prs | jq -r -s 'unique | join(" ")')
echo "numbers=$numbers" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
commitQueue:
needs: get_mergeable_prs
if: needs.get_mergeable_prs.outputs.numbers != ''
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# A personal token is required because pushing with GITHUB_TOKEN will
# prevent commits from running CI after they land. It needs
# to be set here because `checkout` configures GitHub authentication
# for push as well.
token: ${{ secrets.GH_USER_TOKEN }}
# Install dependencies
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install @node-core/utils
run: npm install -g @node-core/utils
- name: Set variables
run: |
echo "REPOSITORY=$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)" >> "$GITHUB_ENV"
- name: Configure @node-core/utils
run: |
ncu-config set branch "${GITHUB_REF_NAME}"
ncu-config set upstream origin
ncu-config set username "$USERNAME"
ncu-config set token "$GITHUB_TOKEN"
ncu-config set jenkins_token "$JENKINS_TOKEN"
ncu-config set repo "${REPOSITORY}"
ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
env:
USERNAME: ${{ secrets.JENKINS_USER }}
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
- name: Start the Commit Queue
run: ./tools/actions/commit-queue.sh "${GITHUB_REPOSITORY_OWNER}" "${REPOSITORY}" ${{ needs.get_mergeable_prs.outputs.numbers }}
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
coverage-linux perms .github/workflows/coverage-linux.yml
View raw YAML
name: Coverage Linux
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- lib/**/*.js
- Makefile
- src/**/*.cc
- src/**/*.h
- test/**
- tools/gyp/**
- tools/test.py
- .github/workflows/coverage-linux.yml
- codecov.yml
- .nycrc
push:
branches:
- main
paths:
- lib/**/*.js
- Makefile
- src/**/*.cc
- src/**/*.h
- test/**
- tools/gyp/**
- tools/test.py
- .github/workflows/coverage-linux.yml
- codecov.yml
- .nycrc
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
CLANG_VERSION: '19'
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
permissions:
contents: read
jobs:
coverage-linux:
if: github.event.pull_request.draft == false
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Clang ${{ env.CLANG_VERSION }}
uses: ./.github/actions/install-clang
with:
clang-version: ${{ env.CLANG_VERSION }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
- name: Install gcovr
run: pip install gcovr==7.2
- name: Configure
run: ./configure --verbose --error-on-warn --coverage
# TODO(bcoe): fix the couple tests that fail with the inspector enabled.
# The cause is most likely coverage's use of the inspector.
- name: Build and test
run: NODE_V8_COVERAGE=coverage/tmp make test-cov -j4 V=1 TEST_CI_ARGS="-p dots --measure-flakiness 9" || exit 0
- name: Report JS
run: npx c8 report --check-coverage
env:
NODE_OPTIONS: --max-old-space-size=8192
- name: Report C++
run: gcovr --object-directory=out -v --filter src --xml -o ./coverage/coverage-cxx.xml --root=./ --gcov-executable="llvm-cov-18 gcov"
# Clean temporary output from gcov and c8, so that it's not uploaded:
- name: Clean tmp
run: rm -rf coverage/tmp && rm -rf out
- name: Upload
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
directory: ./coverage
coverage-linux-without-intl perms .github/workflows/coverage-linux-without-intl.yml
View raw YAML
name: Coverage Linux (without intl)
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- lib/**/*.js
- Makefile
- src/**/*.cc
- src/**/*.h
- test/**
- tools/gyp/**
- tools/test.py
- .github/workflows/coverage-linux-without-intl.yml
- codecov.yml
- .nycrc
push:
branches:
- main
paths:
- lib/**/*.js
- Makefile
- src/**/*.cc
- src/**/*.h
- test/**
- tools/gyp/**
- tools/test.py
- .github/workflows/coverage-linux-without-intl.yml
- codecov.yml
- .nycrc
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
CLANG_VERSION: '19'
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
permissions:
contents: read
jobs:
coverage-linux-without-intl:
if: github.event.pull_request.draft == false
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Clang ${{ env.CLANG_VERSION }}
uses: ./.github/actions/install-clang
with:
clang-version: ${{ env.CLANG_VERSION }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
- name: Install gcovr
run: pip install gcovr==7.2
- name: Configure
run: ./configure --verbose --error-on-warn --coverage --without-intl
# TODO(bcoe): fix the couple tests that fail with the inspector enabled.
# The cause is most likely coverage's use of the inspector.
- name: Build and test
run: NODE_V8_COVERAGE=coverage/tmp make test-cov -j4 V=1 TEST_CI_ARGS="-p dots --measure-flakiness 9" || exit 0
- name: Report JS
run: npx c8 report --check-coverage
env:
NODE_OPTIONS: --max-old-space-size=8192
- name: Report C++
run: gcovr --object-directory=out -v --filter src --xml -o ./coverage/coverage-cxx.xml --root=./ --gcov-executable="llvm-cov-18 gcov"
# Clean temporary output from gcov and c8, so that it's not uploaded:
- name: Clean tmp
run: rm -rf coverage/tmp && rm -rf out
- name: Upload
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
directory: ./coverage
coverage-windows perms .github/workflows/coverage-windows.yml
View raw YAML
name: Coverage Windows
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/bootstrap/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- .**
- '!.github/workflows/coverage-windows.yml'
push:
branches:
- main
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/bootstrap/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- .**
- '!.github/workflows/coverage-windows.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
permissions:
contents: read
jobs:
coverage-windows:
if: github.event.pull_request.draft == false
runs-on: windows-2025
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Install deps
run: choco install nasm
- name: Install Rust ${{ env.RUSTC_VERSION }}
run: |
rustup override set "$RUSTC_VERSION"
rustup --version
- name: Environment Information
run: npx envinfo
- name: Build
run: ./vcbuild.bat clang-cl v8temporal
# TODO(bcoe): investigate tests that fail with coverage enabled
# on Windows.
- name: Test
run: ./vcbuild.bat noprojgen nobuild test-ci-js; node -e 'process.exit(0)'
env:
NODE_V8_COVERAGE: ./coverage/tmp
- name: Report
run: npx c8 report
env:
NODE_OPTIONS: --max-old-space-size=8192
- name: Clean tmp
run: npx rimraf ./coverage/tmp
- name: Upload
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
directory: ./coverage
create-release-proposal perms .github/workflows/create-release-proposal.yml
View raw YAML
# This action requires the following secrets to be set on the repository:
# GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
name: Create Release Proposal
on:
workflow_dispatch:
inputs:
release-line:
required: true
type: number
description: 'The release line (without dots or prefix). e.g: 22'
release-date:
required: true
type: string
description: The release date in YYYY-MM-DD format
concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*
permissions:
contents: write
pull-requests: write
jobs:
releasePrepare:
env:
STAGING_BRANCH: v${{ inputs.release-line }}.x-staging
RELEASE_BRANCH: v${{ inputs.release-line }}.x
RELEASE_DATE: ${{ inputs.release-date }}
RELEASE_LINE: ${{ inputs.release-line }}
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ env.STAGING_BRANCH }}
persist-credentials: false
# Install dependencies
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install @node-core/utils
run: npm install -g @node-core/utils
- name: Configure @node-core/utils
run: |
ncu-config set branch "${RELEASE_BRANCH}"
ncu-config set upstream origin
ncu-config set username "$GITHUB_ACTOR"
ncu-config set token "$GH_TOKEN"
ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
env:
GH_TOKEN: ${{ github.token }}
- name: Set up ghauth config (Ubuntu)
run: |
mkdir -p "${XDG_CONFIG_HOME:-~/.config}/changelog-maker"
jq --null-input '{user: env.GITHUB_ACTOR, token: env.TOKEN}' > "${XDG_CONFIG_HOME:-~/.config}/changelog-maker/config.json"
env:
TOKEN: ${{ github.token }}
- name: Setup git author
run: |
git config --local user.email "github-bot@iojs.org"
git config --local user.name "Node.js GitHub Bot"
- name: Start git node release prepare
# The curl command is to make sure we run the version of the script corresponding to the current workflow.
run: |
curl -fsSL https://github.com/${GITHUB_REPOSITORY}/raw/${GITHUB_SHA}/tools/actions/create-release-proposal.sh |\
sh -s -- "${RELEASE_DATE}" "${RELEASE_LINE}" "${GITHUB_ACTOR}"
env:
GH_TOKEN: ${{ github.token }}
# We want the bot to push the push the release commit so CI runs on it.
BOT_TOKEN: ${{ secrets.GH_USER_TOKEN }}
daily perms .github/workflows/daily.yml
View raw YAML
name: Node.js daily job
on:
workflow_dispatch:
schedule:
- cron: 0 0 * * *
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
build-lto:
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Environment Information
run: npx envinfo
- name: Build lto
run: |
sudo apt-get update && sudo apt-get install ninja-build -y
./configure --enable-lto --ninja
ninja -C out/Release
daily-wpt-fyi matrix perms .github/workflows/daily-wpt-fyi.yml
View raw YAML
# This workflow runs every night and tests various releases of Node.js
# (latest nightly, current, and two latest LTS release lines) against the
# `epochs/daily` branch of WPT.
name: Daily WPT report
on:
workflow_dispatch:
schedule:
# This is 20 minutes after `epochs/daily` branch is triggered to be created
# in WPT repo.
# https://github.com/web-platform-tests/wpt/blob/master/.github/workflows/epochs.yml
- cron: 30 0 * * *
env:
PYTHON_VERSION: '3.14'
permissions:
contents: read
jobs:
collect-versions:
if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-slim
outputs:
matrix: ${{ steps.query.outputs.matrix }}
steps:
- id: query
run: |
matrix=$(curl -s https://raw.githubusercontent.com/nodejs/Release/refs/heads/main/schedule.json | jq -c --arg now "$(date +%Y-%m-%d)" '[with_entries(select(.value.end > $now and .value.start < $now)) | keys[] | ltrimstr("v") | tonumber] + ["latest-nightly"]')
echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
report:
needs:
- collect-versions
strategy:
matrix:
node-version: ${{ fromJSON(needs.collect-versions.outputs.matrix) }}
fail-fast: false
runs-on: ubuntu-24.04-arm
steps:
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
# install a version and checkout
- name: Get latest nightly
if: matrix.node-version == 'latest-nightly'
run: echo "NIGHTLY=$(curl -s https://nodejs.org/download/nightly/index.json | jq -r '[.[] | select(.files[] | contains("linux-arm64"))][0].version')" >> $GITHUB_ENV
- name: Install Node.js
id: setup-node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NIGHTLY || matrix.node-version }}
check-latest: true
- name: Get nightly ref
if: contains(matrix.node-version, 'nightly')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
SHORT_SHA=$(node -p 'process.version.split(/-nightly\d{8}/)[1]')
echo "NIGHTLY_REF=$(gh api /repos/nodejs/node/commits/$SHORT_SHA --jq '.sha')" >> $GITHUB_ENV
- name: Checkout ${{ steps.setup-node.outputs.node-version }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
ref: ${{ env.NIGHTLY_REF || steps.setup-node.outputs.node-version }}
- name: Set env.NODE
run: echo "NODE=$(which node)" >> $GITHUB_ENV
- name: Set env.WPT_REVISION
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: echo "WPT_REVISION=$(gh api /repos/web-platform-tests/wpt/branches/epochs/daily --jq '.commit.sha')" >> $GITHUB_ENV
# replace checked out WPT with the synchronized branch
- name: Remove stale WPT
run: rm -rf wpt
working-directory: test/fixtures
- name: Checkout epochs/daily WPT
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: web-platform-tests/wpt
persist-credentials: false
path: test/fixtures/wpt
clean: false
ref: ${{ env.WPT_REVISION }}
# Node.js WPT Runner
- name: Run WPT and generate report
run: |
make test-wpt-report || true
if [ -e out/wpt/wptreport.json ]; then
echo "WPT_REPORT=$(pwd)/out/wpt/wptreport.json" >> $GITHUB_ENV
fi
# Upload artifacts
- name: Clone report for upload
if: ${{ env.WPT_REPORT != '' }}
working-directory: out/wpt
run: cp wptreport.json wptreport-${{ steps.setup-node.outputs.node-version }}.json
- name: Upload GitHub Actions artifact
if: ${{ env.WPT_REPORT != '' }}
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
path: out/wpt/wptreport-*.json
name: WPT Report for ${{ steps.setup-node.outputs.node-version }}
if-no-files-found: error
- name: Upload WPT Report to wpt.fyi API
if: ${{ env.WPT_REPORT != '' }}
env:
WPT_FYI_USERNAME: ${{ vars.WPT_FYI_USERNAME }}
WPT_FYI_PASSWORD: ${{ secrets.WPT_FYI_PASSWORD }}
working-directory: out/wpt
run: |
gzip wptreport.json
echo "## Node.js ${{ steps.setup-node.outputs.node-version }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "WPT Revision: [\`${WPT_REVISION:0:7}\`](https://github.com/web-platform-tests/wpt/commits/$WPT_REVISION)" >> $GITHUB_STEP_SUMMARY
for WPT_FYI_ENDPOINT in "https://wpt.fyi/api/results/upload" "https://staging.wpt.fyi/api/results/upload"
do
response=$(curl -sS \
-u "$WPT_FYI_USERNAME:$WPT_FYI_PASSWORD" \
-F "result_file=@wptreport.json.gz" \
-F "labels=master" \
$WPT_FYI_ENDPOINT)
if [[ $response =~ Task\ ([0-9]+)\ added\ to\ queue ]]; then
run_id=${BASH_REMATCH[1]}
origin=${WPT_FYI_ENDPOINT%/api/results/upload}
echo "" >> $GITHUB_STEP_SUMMARY
echo "Run ID [\`$run_id\`]($origin/api/runs/$run_id) added to the processor queue at ${origin:8}" >> $GITHUB_STEP_SUMMARY
echo "- [View on the ${origin:8} dashboard]($origin/results?run_id=$run_id)" >> $GITHUB_STEP_SUMMARY
fi
done
doc perms .github/workflows/doc.yml
View raw YAML
name: Test and upload documentation to artifacts
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
push:
branches:
- main
- v[0-9]+.x-staging
- v[0-9]+.x
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
build-docs:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Environment Information
run: npx envinfo
- name: Build
run: NODE=$(command -v node) make doc-only
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: docs
path: out/doc
- name: Test
run: NODE=$(command -v node) make test-doc-ci TEST_CI_ARGS="-p actions --measure-flakiness 9"
find-inactive-collaborators perms .github/workflows/find-inactive-collaborators.yml
View raw YAML
name: Find inactive collaborators
on:
schedule:
# Run every Monday at 4:05 AM UTC.
- cron: 5 4 * * 1
workflow_dispatch:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
find:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Find inactive collaborators
run: tools/find-inactive-collaborators.mjs
- name: Open pull request
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
branch: actions/inactive-collaborators
body: |
This PR was generated by the [`find-inactive-collaborators.yml` workflow](https://github.com/nodejs/node/blob/main/.github/workflows/find-inactive-collaborators.yml).
@nodejs/tsc Please follow up with the [offboarding tasks](https://github.com/nodejs/node/blob/main/doc/contributing/offboarding.md).
commit-message: 'meta: move one or more collaborators to emeritus'
labels: meta
title: 'meta: move one or more collaborators to emeritus'
find-inactive-tsc perms .github/workflows/find-inactive-tsc.yml
View raw YAML
name: Find inactive TSC voting members
on:
schedule:
# Run every Tuesday 12:05 AM UTC.
- cron: 5 0 * * 2
workflow_dispatch:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
find:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- name: Checkout the repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Clone nodejs/TSC repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
path: .tmp
persist-credentials: false
repository: nodejs/TSC
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Find inactive TSC voting members
run: tools/find-inactive-tsc.mjs >> $GITHUB_ENV
- name: Open pull request
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
branch: actions/inactive-tsc
body: |
This PR was generated by tools/find-inactive-tsc.yml.
@nodejs/tsc ${{ env.INACTIVE_TSC_HANDLES }}
${{ env.DETAILS_FOR_COMMIT_BODY }}
commit-message: 'meta: move TSC voting member(s) to regular member(s)'
labels: meta
title: 'meta: move TSC voting member(s) to regular member(s)'
update-pull-request-title-and-body: true
label-flaky-test-issue perms .github/workflows/label-flaky-test-issue.yml
View raw YAML
name: Label Flaky Test Issues
on:
issues:
types: [labeled]
permissions:
contents: read
jobs:
label:
if: github.event.label.name == 'flaky-test'
runs-on: ubuntu-slim
permissions:
issues: write
steps:
- name: Extract labels
id: extract-labels
env:
BODY: ${{ github.event.issue.body }}
run: |
BODY="${BODY//$'\n'/'\n'}"
declare -A platform2label
platform2label["AIX"]="aix";
platform2label["FreeBSD"]="freebsd";
platform2label["Linux ARM64"]="linux";
platform2label["Linux PPC64LE"]="ppc";
platform2label["Linux s390x"]="s390";
platform2label["Linux x64"]="linux";
platform2label["macOS ARM64"]="macos";
platform2label["macOS x64"]="macos";
platform2label["SmartOS"]="smartos";
platform2label["Windows"]="windows";
# sed is cleaning up the edges
PLATFORMS=$(echo $BODY | sed 's/^.*Platform\\n\\n//' | sed 's/\(, Other\)\?\\n\\n.*$//') 2> /dev/null
readarray -d , -t list <<< "$PLATFORMS"
labels=
for row in "${list[@]}"; do \
platform=$(echo $row | xargs); \
labels="${labels}${platform2label[$platform]},"; \
done;
echo "LABELS=${labels::-1}" >> $GITHUB_OUTPUT
- name: Add labels
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NUMBER: ${{ github.event.issue.number }}
run: gh issue edit "$NUMBER" --repo ${{ github.repository }} --add-label "${{ steps.extract-labels.outputs.LABELS }}"
label-pr perms .github/workflows/label-pr.yml
View raw YAML
name: Label PRs
on:
pull_request_target:
types: [opened]
permissions:
contents: read
jobs:
label:
runs-on: ubuntu-slim
steps:
- uses: nodejs/node-pr-labeler@d4cf1b8b9f23189c37917000e5e17e796c770a6b # v1
with:
repo-token: ${{ secrets.GH_USER_TOKEN }}
configuration-path: .github/label-pr-config.yml
license-builder perms .github/workflows/license-builder.yml
View raw YAML
name: License update
on:
schedule:
# 00:00:00 every Monday
# https://crontab.guru/#0_0_*_*_1
- cron: 0 0 * * 1
workflow_dispatch:
permissions:
contents: read
jobs:
update_license:
permissions:
contents: write # for gr2m/create-or-update-pull-request-action to push local changes
pull-requests: write # for gr2m/create-or-update-pull-request-action to create a PR
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- run: ./tools/license-builder.sh # Run the license builder tool
- uses: gr2m/create-or-update-pull-request-action@86ec1766034c8173518f61d2075cc2a173fb8c97 # v1.9.4
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
branch: actions/license-builder
title: 'doc: run license-builder'
body: >
License is likely out of date. This is an automatically generated PR by
the `license-builder.yml` GitHub Action, which runs `license-builder.sh`
and submits a new PR or updates an existing PR.
commit-message: 'doc: run license-builder'
labels: meta
lint-release-proposal perms .github/workflows/lint-release-proposal.yml
View raw YAML
name: Linters (release proposals)
on:
push:
branches:
- v[0-9]+.[0-9]+.[0-9]+-proposal
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
lint-release-commit:
runs-on: ubuntu-slim
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 2
- name: Lint release commit title format
run: |
EXPECTED_TITLE='^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}, Version [[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ (\(Current|'.+' \(LTS)\)$'
echo "Expected commit title format: $EXPECTED_TITLE"
COMMIT_SUBJECT="$(git --no-pager log -1 --format=%s)"
echo "Actual: $ACTUAL"
echo "$COMMIT_SUBJECT" | grep -q -E "$EXPECTED_TITLE"
echo "COMMIT_SUBJECT=$COMMIT_SUBJECT" >> "$GITHUB_ENV"
- name: Lint release commit message trailers
run: |
EXPECTED_TRAILER="^$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/[[:digit:]]+\$"
echo "Expected trailer format: $EXPECTED_TRAILER"
PR_URL="$(git --no-pager log -1 --format='%(trailers:key=PR-URL,valueonly)')"
echo "Actual: $PR_URL"
echo "$PR_URL" | grep -E -q "$EXPECTED_TRAILER"
PR_HEAD="$(gh pr view "$PR_URL" --json headRefOid -q .headRefOid)"
echo "Head of $PR_URL: $PR_HEAD"
echo "Current commit: $GITHUB_SHA"
[ "$PR_HEAD" = "$GITHUB_SHA" ]
env:
GH_TOKEN: ${{ github.token }}
- name: Verify it's release-ready
run: |
SKIP_XZ=1 make release-only
- name: Lint release commit content
run: |
MAJOR="$(awk '/^#define NODE_MAJOR_VERSION / { print $3 }' src/node_version.h)"
echo "Checking for expected files in the release commit:"
missing_expected=
for expected in CHANGELOG.md src/node_version.h doc/changelogs/; do
if git diff --exit-code --quiet --diff-filter=M HEAD^ -- "$expected"; then
echo "Missing expected file in diff: $expected"
missing_expected=1
fi
done
[ -z "$missing_expected" ] || exit 1
echo "Checking for unexpected files in the release commit:"
set -ex
[ -z "$(git diff-tree --no-commit-id --name-only -r HEAD --\
. \
':(exclude)CHANGELOG.md' \
':(exclude)src/node_version.h' \
':(exclude)test/parallel/test-process-release.js' \
':(exclude)doc/api/' \
":(exclude)doc/changelogs/CHANGELOG_V$MAJOR.md")" ]
- name: Validate CHANGELOG
id: releaser-info
run: |
EXPECTED_CHANGELOG_TITLE_INTRO="## $COMMIT_SUBJECT, @"
echo "Expected CHANGELOG section title: $EXPECTED_CHANGELOG_TITLE_INTRO"
MAJOR="$(awk '/^#define NODE_MAJOR_VERSION / { print $3 }' src/node_version.h)"
CHANGELOG_PATH="doc/changelogs/CHANGELOG_V${MAJOR}.md"
CHANGELOG_TITLE="$(grep "$EXPECTED_CHANGELOG_TITLE_INTRO" "$CHANGELOG_PATH")"
echo "Actual: $CHANGELOG_TITLE"
[ "${CHANGELOG_TITLE%%@*}@" = "$EXPECTED_CHANGELOG_TITLE_INTRO" ]
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
--jq '.commits.[] | { smallSha: .sha[0:10] } + (.commit.message|capture("^(?<title>.+)\n\n(.*\n)*PR-URL: (?<prURL>.+)(\n|$)"))' \
"/repos/${GITHUB_REPOSITORY}/compare/v${MAJOR}.x...$GITHUB_SHA" --paginate \
| node tools/actions/lint-release-proposal-commit-list.mjs "$CHANGELOG_PATH" "$GITHUB_SHA" \
| while IFS= read -r PR_URL; do
DONT_LAND_LABEL="dont-land-on-v${MAJOR}.x" LTS_WATCH_LABEL="lts-watch-v${MAJOR}.x" gh pr view \
--json labels,url \
--jq '
if (.labels|any(.name==env.DONT_LAND_LABEL)) then
error("\(.url) has the \(env.DONT_LAND_LABEL) label, forbidding it to be in this release proposal")
elif (.labels|any(.name==env.LTS_WATCH_LABEL)) then
error("\(.url) has the \(env.LTS_WATCH_LABEL) label, please remove the label now that the PR is included in a release proposal")
end
' \
"$PR_URL" > /dev/null
done
shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option.
env:
GH_TOKEN: ${{ github.token }}
linters perms .github/workflows/linters.yml
View raw YAML
name: Linters
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
push:
branches:
- main
- v[0-9]+.x-staging
- v[0-9]+.x
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
lint-addon-docs:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Environment Information
run: npx envinfo
- name: Lint addon docs
run: NODE=$(command -v node) make lint-addon-docs
lint-cpp:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
- name: Lint C/C++ files
run: make lint-cpp
format-cpp:
if: ${{ github.event.pull_request && github.event.pull_request.draft == false && github.base_ref == github.event.repository.default_branch }}
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
- name: Format C/C++ files
run: |
make format-cpp-build
# The `make format-cpp` error code is intentionally ignored here
# because it is irrelevant. We already check if the formatter produced
# a diff in the next line.
# Refs: https://github.com/nodejs/node/pull/42764
CLANG_FORMAT_START="$(git merge-base HEAD refs/remotes/origin/$GITHUB_BASE_REF)" \
make format-cpp || true
git --no-pager diff --exit-code && EXIT_CODE="$?" || EXIT_CODE="$?"
if [ "$EXIT_CODE" != "0" ]
then
echo
echo 'ERROR: Please run:'
echo
echo " CLANG_FORMAT_START="$\(git merge-base HEAD ${GITHUB_BASE_REF}\)" make format-cpp"
echo
echo 'to format the commits in your branch.'
exit "$EXIT_CODE"
fi
lint-js-and-md:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Environment Information
run: npx envinfo
- name: Lint JavaScript files
run: |
set +e
NODE=$(command -v node) make lint-js
EXIT_CODE="$?"
if [ "$EXIT_CODE" != "0" ]; then
echo
echo 'ERROR: The JavaScript lint validation failed (the errors are logged above).'
echo ' Please fix the lint errors.'
if NODE=$(command -v node) make lint-js-fix > /dev/null 2>&1; then
echo ' Run:'
echo ' make lint-js-fix'
echo ' to fix the lint issues.'
git --no-pager diff
elif git diff --quiet --exit-code; then
echo ' None of the issue is auto-fixable, so manual fixes for'
echo ' all of the issues are required.'
else
echo ' Run:'
echo ' make lint-js-fix'
echo ' to fix the auto-fixable lint issues.'
echo ' Note that some manual fixes are also required.'
fi
echo
exit "$EXIT_CODE"
fi
- name: Get release version numbers
if: ${{ github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch }}
id: get-released-versions
run: ./tools/lint-md/list-released-versions-from-changelogs.mjs >> $GITHUB_OUTPUT
- name: Lint markdown files
run: |
echo "::add-matcher::.github/workflows/remark-lint-problem-matcher.json"
NODE=$(command -v node) make lint-md
env:
NODE_RELEASED_VERSIONS: ${{ steps.get-released-versions.outputs.NODE_RELEASED_VERSIONS }}
lint-nix:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: '*.nix'
sparse-checkout-cone-mode: false
- uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
- name: Lint Nix files
run: |
nix-shell -I nixpkgs=./tools/nix/pkgs.nix -p 'nixfmt-tree' --run '
treefmt --quiet --ci
' && EXIT_CODE="$?" || EXIT_CODE="$?"
if [ "$EXIT_CODE" != "0" ]
then
git --no-pager diff || true
exit "$EXIT_CODE"
fi
lint-py:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: |
/Makefile
/benchmark/
/doc/
/lib/
/src/node_version.h
/tools/
pyproject.toml
*.py
sparse-checkout-cone-mode: false
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
- name: Lint Python
run: |
make lint-py-build
make lint-py
lint-yaml:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: |
/Makefile
/tools/pip/
*.yml
*.yaml
sparse-checkout-cone-mode: false
- name: Use Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Environment Information
run: npx envinfo
- name: Lint YAML
run: |
make lint-yaml-build || true
make lint-yaml
lint-sh:
if: github.event.pull_request.draft == false
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: |
/tools/lint-sh.mjs
*.sh
sparse-checkout-cone-mode: false
- run: shellcheck -V
- name: Lint Shell scripts
run: tools/lint-sh.mjs .
lint-codeowners:
if: github.event.pull_request.draft == false
# cannot use ubuntu-slim here because mszostok/codeowners-validator is dockerized
# cannot use ubuntu-24.04-arm here because the docker image is x86 only
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
with:
checks: files,duppatterns
lint-pr-url:
if: ${{ github.event.pull_request }}
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2
persist-credentials: false
sparse-checkout: |
/tools/lint-pr-url.mjs
/doc/api/
sparse-checkout-cone-mode: false
# GH Actions squashes all PR commits, HEAD^ refers to the base branch.
- run: git diff HEAD^ HEAD -G"pr-url:" -- "*.md" | ./tools/lint-pr-url.mjs ${{ github.event.pull_request.html_url }}
lint-readme:
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: |
README.md
/tools/lint-readme-lists.mjs
sparse-checkout-cone-mode: false
- name: Get team members if possible
if: ${{ (github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch) || github.event.ref == github.event.repository.default_branch }}
id: team_members
run: |
get_list_members() {
TEAM="$1"
QUOTE='"'
gh api "/orgs/nodejs/teams/$TEAM/members" -X GET -f per_page=100 --jq "map(.login) | ${QUOTE}${TEAM}=\(tojson)${QUOTE}"
}
[ -z "$GITHUB_TOKEN" ] || (
get_list_members "collaborators"
get_list_members "issue-triage"
get_list_members "tsc"
) >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- run: tools/lint-readme-lists.mjs "$TEAMS"
env:
TEAMS: ${{ tojson(steps.team_members.outputs) }}
major-release perms .github/workflows/major-release.yml
View raw YAML
name: Major Release
on:
schedule:
- cron: 0 0 15 2,8 * # runs at midnight UTC every 15 February and 15 August
permissions:
contents: read
jobs:
create-issue:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
permissions:
issues: write
steps:
- name: Check for release schedule
id: check-date
run: |
# Get the current month and day
MONTH=$(date +'%m')
DAY=$(date +'%d')
# We'll create the reminder issue two months prior the release
if [[ "$MONTH" == "02" || "$MONTH" == "08" ]] && [[ "$DAY" == "15" ]]; then
echo "create_issue=true" >> "$GITHUB_ENV"
fi
- name: Retrieve next major release info from nodejs/Release
if: env.create_issue == 'true'
run: |
curl -L https://github.com/nodejs/Release/raw/HEAD/schedule.json | \
jq -r 'to_entries | map(select(.value.start | strptime("%Y-%m-%d") | mktime > now)) | first | "VERSION=" + .key + "\nRELEASE_DATE=" + .value.start' >> "$GITHUB_ENV"
- name: Compute max date for landing semver-major PRs
if: env.create_issue == 'true'
run: |
echo "PR_MAX_DATE=$(date -d "$RELEASE_DATE -1 month" +%Y-%m-%d)" >> "$GITHUB_ENV"
- name: Create release announcement issue
if: env.create_issue == 'true'
run: |
gh issue create --repo "${GITHUB_REPOSITORY}" \
--title "Upcoming Node.js Major Release ($VERSION)" \
--body-file -<<EOF
A reminder that the next Node.js **SemVer Major release** is scheduled for **${RELEASE_DATE}**.
All commits that were landed until **${PR_MAX_DATE}** (one month prior to the release) will be included in the next semver major release. Please ensure that any necessary preparations are made in advance.
For more details on the release process, consult the [Node.js Release Working Group repository](https://github.com/nodejs/release).
cc: @nodejs/collaborators
EOF
env:
GH_TOKEN: ${{ github.token }}
notify-on-push perms .github/workflows/notify-on-push.yml
View raw YAML
on:
push:
branches:
- main
name: Notify on Push
permissions:
contents: read
jobs:
notifyOnForcePush:
name: Notify on Force Push on `main`
if: github.repository == 'nodejs/node' && github.event.forced
# cannot use ubuntu-slim here because rtCamp/action-slack-notify is dockerized
runs-on: ubuntu-24.04-arm
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
env:
SLACK_COLOR: '#DE512A'
SLACK_ICON: https://github.com/nodejs.png?size=48
SLACK_TITLE: ${{ github.actor }} force-pushed to ${{ github.ref }}
SLACK_MESSAGE: |
<!here> A commit was force-pushed to <https://github.com/${{ github.repository }}/tree/${{ github.ref_name }}|${{ github.repository }}@${{ github.ref_name }}> by <https://github.com/${{ github.actor }}|${{ github.actor }}>
Before: <https://github.com/${{ github.repository }}/commit/${{ github.event.before }}|${{ github.event.before }}>
After: <https://github.com/${{ github.repository }}/commit/${{ github.event.after }}|${{ github.event.after }}>
SLACK_USERNAME: nodejs-bot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
validateCommitMessage:
name: Notify on Push on `main` with invalid message
# cannot use ubuntu-slim here because rtCamp/action-slack-notify is dockerized
runs-on: ubuntu-24.04-arm
steps:
- name: Validate commits
run: echo "$COMMITS" | npx -q core-validate-commit -
id: commit-check
env:
COMMITS: ${{ toJSON(github.event.commits) }}
- name: Slack Notification
if: ${{ failure() && steps.commit-check.conclusion == 'failure' && github.repository == 'nodejs/node' }}
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
env:
SLACK_COLOR: '#DE512A'
SLACK_ICON: https://github.com/nodejs.png?size=48
SLACK_TITLE: Invalid commit was pushed to ${{ github.ref }}
SLACK_MESSAGE: |
<!here> A commit with an invalid message was pushed to <https://github.com/${{ github.repository }}/tree/${{ github.ref_name }}|${{ github.repository }}@${{ github.ref_name }}> by <https://github.com/${{ github.actor }}|${{ github.actor }}>.
Before: <https://github.com/${{ github.repository }}/commit/${{ github.event.before }}|${{ github.event.before }}>
After: <https://github.com/${{ github.repository }}/commit/${{ github.event.after }}|${{ github.event.after }}>
SLACK_USERNAME: nodejs-bot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
notify-on-review-wanted perms .github/workflows/notify-on-review-wanted.yml
View raw YAML
name: Notify on Review Wanted
on:
issues:
types: [labeled]
pull_request_target:
types: [labeled]
permissions:
contents: read
jobs:
notifyOnReviewWanted:
name: Notify on Review Wanted
if: github.repository == 'nodejs/node' && github.event.label.name == 'review wanted'
# cannot use ubuntu-slim here because rtCamp/action-slack-notify is dockerized
runs-on: ubuntu-24.04-arm
steps:
- name: Determine PR or Issue
id: define-message
env:
TITLE_ISSUE: ${{ github.event.issue.title }}
TITLE_PR: ${{ github.event.pull_request.title }}
run: |
if [[ -n "${{ github.event.pull_request.number }}" ]]; then
number="${{ github.event.pull_request.number }}"
link="https://github.com/${{ github.repository }}/pull/$number"
echo "message=The PR (#$number) requires review from Node.js maintainers. See: $link" >> "$GITHUB_OUTPUT"
echo "title=$TITLE_PR" >> "$GITHUB_OUTPUT"
else
number="${{ github.event.issue.number }}"
link="https://github.com/${{ github.repository }}/issues/$number"
echo "message=The issue (#$number) requires review from Node.js maintainers. See: $link" >> "$GITHUB_OUTPUT"
echo "title=$TITLE_ISSUE" >> "$GITHUB_OUTPUT"
fi
- name: Slack Notification
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
env:
MSG_MINIMAL: actions url
SLACK_COLOR: '#3d85c6'
SLACK_ICON: https://github.com/nodejs.png?size=48
SLACK_TITLE: ${{ steps.define-message.outputs.title }}
SLACK_MESSAGE: ${{ steps.define-message.outputs.message }}
SLACK_USERNAME: nodejs-bot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
post-release perms .github/workflows/post-release.yml
View raw YAML
name: Post-Release actions
on:
workflow_dispatch:
inputs:
version:
description: The version to generate a blog post for.
type: string
required: true
release:
types: [released]
permissions:
contents: read
jobs:
post-release-actions:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- name: Trigger update-links workflow on nodejs/release-cloudflare-worker
run: |
gh workflow run update-links.yml --repo nodejs/release-cloudflare-worker
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Trigger create-release-post workflow on nodejs/nodejs.org
run: |
gh workflow run create-release-post.yml --repo nodejs/nodejs.org -f version=$VERSION
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
VERSION: ${{ inputs.version || github.event.release.tag_name }}
scorecard perms security .github/workflows/scorecard.yml
View raw YAML
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: 16 21 * * 1
push:
branches: [main]
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
# cannot use ubuntu-slim here because ossf/scorecard-action is dockerized
# cannot use ubuntu-24.04-arm here because the docker image is x86 only
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: Upload artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
sarif_file: results.sarif
test-internet perms .github/workflows/test-internet.yml
View raw YAML
name: Test internet
on:
workflow_dispatch:
schedule:
- cron: 5 0 * * *
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- .github/workflows/test-internet.yml
- test/internet/**
- internal/dns/**
- lib/dns.js
- lib/net.js
push:
branches:
- main
- canary
- v[0-9]+.x-staging
- v[0-9]+.x
paths:
- .github/workflows/test-internet.yml
- test/internet/**
- internal/dns/**
- lib/dns.js
- lib/net.js
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
CLANG_VERSION: '19'
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
permissions:
contents: read
jobs:
test-internet:
if: github.event_name == 'schedule' && github.repository == 'nodejs/node' || github.event.pull_request.draft == false
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Clang ${{ env.CLANG_VERSION }}
uses: ./.github/actions/install-clang
with:
clang-version: ${{ env.CLANG_VERSION }}
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
- name: Build
run: make build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
- name: Test Internet
run: make test-internet -j4 V=1;
test-linux matrix perms .github/workflows/test-linux.yml
View raw YAML
name: Test Linux
on:
pull_request:
paths-ignore:
- .mailmap
- README.md
- vcbuild.bat
- test/internet/**
- '**.nix'
- .github/**
- '!.github/workflows/test-linux.yml'
types: [opened, synchronize, reopened, ready_for_review]
push:
branches:
- main
- canary
- v[0-9]+.x-staging
- v[0-9]+.x
paths-ignore:
- .mailmap
- README.md
- vcbuild.bat
- test/internet/**
- '**.nix'
- .github/**
- '!.github/workflows/test-linux.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
FLAKY_TESTS: keep_retrying
CLANG_VERSION: '19'
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
RUSTC_VERSION: '1.82'
permissions:
contents: read
jobs:
test-linux:
if: github.event.pull_request.draft == false
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-24.04, ubuntu-24.04-arm]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
path: node
- name: Install Clang ${{ env.CLANG_VERSION }}
uses: ./node/.github/actions/install-clang
with:
clang-version: ${{ env.CLANG_VERSION }}
- name: Install Rust ${{ env.RUSTC_VERSION }}
run: |
rustup override set "$RUSTC_VERSION"
rustup --version
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
- name: Build
run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn --v8-enable-temporal-support"
- name: Test
run: make -C node test-ci -j1 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
- name: Re-run test in a folder whose name contains unusual chars
run: |
mv node "$DIR"
cd "$DIR"
./tools/test.py --flaky-tests keep_retrying -p actions -j 4
env:
DIR: dir%20with $unusual"chars?'åß∂ƒ©∆¬…`
test-macos perms .github/workflows/test-macos.yml
View raw YAML
name: Test macOS
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/test-macos.yml'
push:
branches:
- main
- canary
- v[0-9]+.x-staging
- v[0-9]+.x
paths-ignore:
- '**.md'
- '**.nix'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/actions/**
- tools/dep_updaters/**
- tools/doc/**
- tools/eslint-rules/**
- tools/eslint/**
- tools/lint-md/**
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/test-macos.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
PYTHON_VERSION: '3.14'
XCODE_VERSION: '16.4'
FLAKY_TESTS: keep_retrying
RUSTC_VERSION: '1.82'
permissions:
contents: read
jobs:
test-macOS:
if: github.event.pull_request.draft == false
strategy:
fail-fast: false
runs-on: macos-15
env:
CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} gcc
CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} g++
SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
SCCACHE_IDLE_TIMEOUT: '0'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
path: node
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up Xcode ${{ env.XCODE_VERSION }}
run: sudo xcode-select -s /Applications/Xcode_${{ env.XCODE_VERSION }}.app
- name: Install Rust ${{ env.RUSTC_VERSION }}
run: |
rustup override set "$RUSTC_VERSION"
rustup --version
- name: Set up sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
with:
version: v0.12.0
- name: Environment Information
run: npx envinfo
# The `npm ci` for this step fails a lot as part of the Test step. Run it
# now so that we don't have to wait 2 hours for the Build step to pass
# first before that failure happens. (And if there's something about
# `make run-ci -j3` that is causing the failure and the failure doesn't
# happen anymore running this step here first, that's also useful
# information.)
- name: tools/doc/node_modules workaround
run: make -C node tools/doc/node_modules
# This is needed due to https://github.com/nodejs/build/issues/3878
- name: Cleanup
run: |
echo "::group::Free space before cleanup"
df -h
echo "::endgroup::"
echo "::group::Cleaned Files"
sudo rm -rf /Users/runner/Library/Android/sdk
echo "::endgroup::"
echo "::group::Free space after cleanup"
df -h
echo "::endgroup::"
- name: Build
run: make -C node build-ci -j$(getconf _NPROCESSORS_ONLN) V=1 CONFIG_FLAGS="--error-on-warn --v8-enable-temporal-support"
- name: Free Space After Build
run: df -h
- name: Test
run: make -C node test-ci -j1 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
- name: Re-run test in a folder whose name contains unusual chars
run: |
mv node "$DIR"
cd "$DIR"
./tools/test.py --flaky-tests keep_retrying -p actions -j 4
env:
DIR: dir%20with $unusual"chars?'åß∂ƒ©∆¬…`
test-shared matrix perms .github/workflows/test-shared.yml
View raw YAML
# This action uses the following secrets:
# CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only.
name: Test Shared libraries
on:
pull_request:
paths-ignore:
- '**.md'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- deps/ada/**
- deps/brotli/**
- deps/cares/**
- deps/crates/**
- deps/corepack/**
- deps/googletest/**
- deps/histogram/**
- deps/icu-small/**
- deps/icu-tmp/**
- deps/llhttp/**
- deps/merve/**
- deps/nbytes/**
- deps/nghttp2/**
- deps/ngtcp2/**
- deps/openssl/*/**
- deps/simdjson/**
- deps/sqlite/**
- deps/uv/**
- deps/uvwasi/**
- deps/zlib/**
- deps/zstd/**
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/**
- '!tools/gyp/**'
- '!tools/nix/**'
- '!tools/v8/**'
- '!tools/v8_gypfiles/**'
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/test-shared.yml'
types: [opened, synchronize, reopened, ready_for_review]
push:
branches:
- main
- canary
- v[0-9]+.x-staging
- v[0-9]+.x
paths-ignore:
- '**.md'
- eslint.config.mjs
- '**/eslint.config_partial.mjs'
- android-configure
- android-configure.py
- android-patches/**
- benchmarks/**
- codecov.yml
- deps/ada/**
- deps/brotli/**
- deps/cares/**
- deps/crates/**
- deps/corepack/**
- deps/googletest/**
- deps/histogram/**
- deps/icu-small/**
- deps/icu-tmp/**
- deps/llhttp/**
- deps/merve/**
- deps/nbytes/**
- deps/nghttp2/**
- deps/ngtcp2/**
- deps/openssl/*/**
- deps/simdjson/**
- deps/sqlite/**
- deps/uv/**
- deps/uvwasi/**
- deps/zlib/**
- deps/zstd/**
- doc/**
- pyproject.yml
- tsconfig.json
- test/internet/**
- tools/**
- '!tools/gyp/**'
- '!tools/nix/**'
- '!tools/v8/**'
- '!tools/v8_gypfiles/**'
- typings/**
- vcbuild.bat
- .**
- '!.github/workflows/test-shared.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
FLAKY_TESTS: keep_retrying
permissions:
contents: read
jobs:
build-tarball:
if: github.event.pull_request.draft == false
name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }}
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ github.event_name != 'workflow_dispatch' }}
with:
persist-credentials: false
- name: Make tarball
if: ${{ github.event_name != 'workflow_dispatch' }}
run: |
export DATESTRING=$(date "+%Y-%m-%d")
export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA")
./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1
env:
DISTTYPE: nightly
- name: Upload tarball artifact
if: ${{ github.event_name != 'workflow_dispatch' }}
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: tarballs
path: '*.tar.gz'
compression-level: 0
build:
needs: build-tarball
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-24.04
system: x86_64-linux
- runner: ubuntu-24.04-arm
system: aarch64-linux
- runner: macos-15-intel
system: x86_64-darwin
- runner: macos-latest
system: aarch64-darwin
name: '${{ matrix.system }}: with shared libraries'
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
if: ${{ github.event_name != 'workflow_dispatch' }}
with:
name: tarballs
path: tarballs
- name: Extract tarball
if: ${{ github.event_name != 'workflow_dispatch' }}
run: |
tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
with:
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
with:
name: nodejs
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
- name: Configure sccache
if: github.base_ref == 'main' || github.ref_name == 'main'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
core.exportVariable('SCCACHE_GHA_ENABLED', 'on');
core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on');
core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache');
- name: Build Node.js and run tests
run: |
nix-shell \
-I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
--pure --keep TAR_DIR --keep FLAKY_TESTS \
--keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
--arg loadJSBuiltinsDynamically false \
--arg useSeparateDerivationForV8 true \
--arg ccache "${NIX_SCCACHE:-null}" \
--arg devTools '[]' \
--arg benchmarkTools '[]' \
${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
--run '
make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
' "$TAR_DIR/shell.nix"
timezone-update perms .github/workflows/timezone-update.yml
View raw YAML
name: Timezone update
on:
schedule:
# Run once a week at 00:05 AM UTC on Sunday.
- cron: 5 0 * * 0
workflow_dispatch:
permissions:
contents: read
jobs:
timezone_update:
permissions:
contents: write # to push local changes (gr2m/create-or-update-pull-request-action)
pull-requests: write # to create a PR (gr2m/create-or-update-pull-request-action)
if: github.repository == 'nodejs/node'
# cannot use ubuntu-slim here because it does not have icupkg
runs-on: ubuntu-latest
steps:
- name: Checkout nodejs/node
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Checkout unicode-org/icu-data
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: icu-data
persist-credentials: false
repository: unicode-org/icu-data
- name: Record new version
run: echo "new_version=$(ls icu-data/tzdata/icunew | tail -1)" >> $GITHUB_ENV
- name: Record current version
run: echo "current_version=$(cat ./test/fixtures/tz-version.txt)" >> $GITHUB_ENV
- name: Compare versions
run: |
echo "Comparing current version ${{ env.current_version }} to new version ${{ env.new_version }}"
- run: ./tools/update-timezone.mjs
if: ${{ env.new_version != env.current_version }}
- name: Update the expected timezone version in test
if: ${{ env.new_version != env.current_version }}
run: echo "${{ env.new_version }}" > test/fixtures/tz-version.txt
- name: Open Pull Request
if: ${{ env.new_version != env.current_version }}
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5 # Create a PR or update the Action's existing PR
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
body: |
This PR was generated by `.github/workflows/timezone-update.yml` and `tools/update-timezone.mjs`.
Updates the ICU files as per the instructions present in https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-icu.md#time-zone-data
To test, build node off this branch & log the version of tz using
```js
console.log(process.versions.tz)
```
branch: actions/timezone-update
commit-message: 'deps: update timezone to ${{ env.new_version }}'
labels: dependencies
title: 'deps: update timezone to ${{ env.new_version }}'
reviewers: \@nodejs/i18n-api
update-pull-request-title-and-body: true
tools matrix perms .github/workflows/tools.yml
View raw YAML
name: Tools and deps update
on:
schedule:
# Run once a week at 00:05 AM UTC on Sunday.
- cron: 5 0 * * 0
workflow_dispatch:
inputs:
id:
description: The ID of the job to run
required: true
default: all
type: choice
options:
- all
- acorn
- acorn-walk
- ada
- amaro
- brotli
- c-ares
- merve
- corepack
- googletest
- gyp-next
- histogram
- icu
- inspector_protocol
- libuv
- llhttp
- minimatch
- nbytes
- nixpkgs-unstable
- nghttp2
- nghttp3
- ngtcp2
- postject
- root-certificates
- simdjson
- sqlite
- test426-fixtures
- undici
- uvwasi
- zlib
- zstd
env:
PYTHON_VERSION: '3.14'
permissions:
contents: read
jobs:
tools-deps-update:
if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch'
# cannot use ubuntu-slim here because some update scripts require Docker
runs-on: ubuntu-latest
strategy:
fail-fast: false # Prevent other jobs from aborting if one fails
matrix:
include:
- id: acorn
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-acorn.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: acorn-walk
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-acorn-walk.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: ada
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-ada.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: amaro
subsystem: deps
label: dependencies, strip-types
run: |
./tools/dep_updaters/update-amaro.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: brotli
subsystem: deps
label: dependencies, zlib
run: |
./tools/dep_updaters/update-brotli.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: c-ares
subsystem: deps
label: dependencies, cares
run: |
./tools/dep_updaters/update-c-ares.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: merve
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-merve.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: corepack
subsystem: deps
label: dependencies
run: |
make corepack-update
echo "NEW_VERSION=$(node deps/corepack/dist/corepack.js --version)" >> $GITHUB_ENV
- id: googletest
subsystem: deps
label: dependencies, test
run: |
./tools/dep_updaters/update-googletest.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: gyp-next
subsystem: tools
label: tools, gyp
run: |
./tools/dep_updaters/update-gyp-next.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: histogram
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-histogram.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: icu
subsystem: deps
label: dependencies, test, icu
run: |
./tools/dep_updaters/update-icu.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: inspector_protocol
subsystem: deps
label: dependencies, inspector
run: |
./tools/dep_updaters/update-inspector-protocol.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: libuv
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-libuv.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: llhttp
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-llhttp.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: minimatch
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-minimatch.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: nbytes
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-nbytes.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: nixpkgs-unstable
subsystem: tools
# dont-land labels are there so we can guarantee released versions of
# Node.js can be built with the same env along the whole release line life – or
# at least we can detect and document necessary updates.
label: tools, dont-land-on-v20.x, dont-land-on-v22.x, dont-land-on-v24.x, dont-land-on-v25.x
run: |
./tools/dep_updaters/update-nixpkgs-pin.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: nghttp2
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-nghttp2.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: nghttp3
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-nghttp3.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: ngtcp2
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-ngtcp2.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: postject
subsystem: deps,test
label: test
run: |
./tools/dep_updaters/update-postject.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: root-certificates
subsystem: crypto
label: crypto, notable-change
run: |
node ./tools/dep_updaters/update-root-certs.mjs -v -f "$GITHUB_ENV"
- id: simdjson
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-simdjson.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: sqlite
subsystem: deps
label: dependencies, sqlite
run: |
./tools/dep_updaters/update-sqlite.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: test426-fixtures
subsystem: test
label: test
run: |
bash tools/dep_updaters/update-test426-fixtures.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: undici
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-undici.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: uvwasi
subsystem: deps
label: dependencies
run: |
./tools/dep_updaters/update-uvwasi.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: zlib
subsystem: deps
label: dependencies, zlib
run: |
./tools/dep_updaters/update-zlib.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- id: zstd
subsystem: deps
label: dependencies, zlib
run: |
./tools/dep_updaters/update-zstd.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
steps:
- name: Setup Git config
run: |
git config --global user.name "Node.js GitHub Bot"
git config --global user.email "github-bot@iojs.org"
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id
with:
persist-credentials: false
- name: Set up Python ${{ env.PYTHON_VERSION }}
if: |
(matrix.id == 'icu' || matrix.id == 'inspector_protocol') &&
(github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id)
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
allow-prereleases: true
- name: Set up Nix
if: matrix.id == 'nixpkgs-unstable' && (github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id)
uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
- run: ${{ matrix.run }}
if: github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Generate commit message if not set
if: env.COMMIT_MSG == '' && (github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id)
run: |
echo "COMMIT_MSG=${{ matrix.subsystem }}: update ${{ matrix.id }} to ${{ env.NEW_VERSION }}" >> "$GITHUB_ENV"
- uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
if: github.event_name == 'schedule' || inputs.id == 'all' || inputs.id == matrix.id
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
with:
token: ${{ secrets.GH_USER_TOKEN }}
branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action.
delete-branch: true
commit-message: ${{ env.COMMIT_MSG }}
labels: ${{ matrix.label }}
title: '${{ matrix.subsystem }}: update ${{ matrix.id }} to ${{ env.NEW_VERSION }}'
body: This is an automated update of ${{ matrix.id }} to ${{ env.NEW_VERSION }}.
update-openssl perms .github/workflows/update-openssl.yml
View raw YAML
name: OpenSSL update
on:
schedule:
# Run once a week at 00:05 AM UTC on Sunday.
- cron: 5 0 * * 0
workflow_dispatch:
permissions:
contents: read
jobs:
openssl-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check and download new OpenSSL version
run: |
./tools/dep_updaters/update-openssl.sh download > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Create PR with first commit
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
# Creates a PR with the new OpenSSL source code committed
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
commit-message: 'deps: upgrade openssl sources to openssl-${{ env.NEW_VERSION }}'
labels: dependencies, openssl
title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}'
path: deps/openssl
update-pull-request-title-and-body: true
- name: Regenerate platform specific files
if: env.NEW_VERSION
run: |
sudo apt install -y nasm libtext-template-perl
./tools/dep_updaters/update-openssl.sh regenerate
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Add second commit
# Adds a second commit to the PR with the generated platform-dependent files
if: env.NEW_VERSION
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
author: Node.js GitHub Bot <github-bot@iojs.org>
branch: actions/tools-update-openssl # Custom branch *just* for this Action.
commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
path: deps/openssl
update-v8 perms .github/workflows/update-v8.yml
View raw YAML
name: V8 patch update
on:
schedule:
# Run once a week at 00:05 AM UTC on Sunday.
- cron: 5 0 * * 0
workflow_dispatch:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
v8-update:
if: github.repository == 'nodejs/node'
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Cache node modules and update-v8
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
id: cache-v8-npm
env:
cache-name: cache-v8-npm
with:
path: |
~/.update-v8
~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install @node-core/utils
run: npm install -g @node-core/utils
- name: Setup Git config
run: |
git config --global user.name "Node.js GitHub Bot"
git config --global user.email "github-bot@iojs.org"
- name: Check and download new V8 version
run: |
./tools/dep_updaters/update-v8-patch.sh > temp-output
cat temp-output
tail -n1 temp-output | grep "NEW_VERSION=" >> "$GITHUB_ENV" || true
rm temp-output
- uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
with:
token: ${{ secrets.GH_USER_TOKEN }}
branch: actions/update-v8-patch # Custom branch *just* for this Action.
delete-branch: true
title: 'deps: patch V8 to ${{ env.NEW_VERSION }}'
body: This is an automated patch update of V8 to ${{ env.NEW_VERSION }}.
labels: dependencies, v8 engine
update-wpt matrix perms .github/workflows/update-wpt.yml
View raw YAML
name: WPT update
on:
schedule:
# Run once a week at 12:00 AM UTC on Sunday.
- cron: 0 0 * * 0
workflow_dispatch:
inputs:
subsystems:
description: Subsystem to run the update for
required: false
default: '["url", "urlpattern", "WebCryptoAPI"]'
permissions:
contents: read
env:
NODE_VERSION: lts/*
jobs:
wpt-subsystem-update:
if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-slim
strategy:
fail-fast: false
matrix:
subsystem: ${{ fromJSON(github.event.inputs.subsystems || '["url", "urlpattern", "WebCryptoAPI"]') }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install @node-core/utils
run: npm install -g @node-core/utils
- name: Setup @node-core/utils
run: |
ncu-config set username "$USERNAME"
ncu-config set token "$GH_TOKEN"
ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
env:
USERNAME: ${{ secrets.JENKINS_USER }}
GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
- name: Update WPT for subsystem ${{ matrix.subsystem }}
run: |
git node wpt "$SUBSYSTEM"
env:
SUBSYSTEM: ${{ matrix.subsystem }}
- name: Retrieve new version commit
run: |
new_version="$(
node -p 'require("./test/fixtures/wpt/versions.json")[process.argv[1]].commit' "$SUBSYSTEM"
)"
{
echo "long_version=$new_version"
echo "short_version=${new_version:0:10}"
} >> "$GITHUB_ENV"
env:
SUBSYSTEM: ${{ matrix.subsystem }}
- name: Open or update PR for the subsystem update
uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
with:
# The create-or-update-pull-request-action matches the branch name by prefix,
# which is why we need to add the -wpt suffix. If we dont do that, we risk matching wrong PRs,
# like for example "url" mistakenly matching and updating the "urlpattern" PR
# as seen in https://github.com/nodejs/node/pull/57368
branch: actions/update-${{ matrix.subsystem }}-wpt
author: Node.js GitHub Bot <github-bot@iojs.org>
title: 'test: update WPT for ${{ matrix.subsystem }} to ${{ env.short_version }}'
commit-message: 'test: update WPT for ${{ matrix.subsystem }} to ${{ env.short_version }}'
labels: test
update-pull-request-title-and-body: true
body: >
This is an automated update of the WPT for ${{ matrix.subsystem }} to
https://github.com/web-platform-tests/wpt/commit/${{ env.long_version }}.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}