From 749a2c98f8ba3a2df138b9957edcddf5a54179b6 Mon Sep 17 00:00:00 2001
From: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Date: Mon, 24 Oct 2022 13:37:19 +0800
Subject: [PATCH] ci: update ci pipeline

- Prepare Renovate config for v6.x branch
- Tidy pipeline code
- Drop uneeded test matrix (semver-major release)
- Pin GitHub Actions action to Git commit hash

see: https://github.com/loopbackio/security/issues/27
see: https://github.com/loopbackio/loopback-connector-mongodb/issues/720
Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
---
 .github/workflows/continuous-integration.yaml | 44 +++++++++----------
 renovate.json                                 |  6 ++-
 2 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
index 50ec2e50c..84867d839 100644
--- a/.github/workflows/continuous-integration.yaml
+++ b/.github/workflows/continuous-integration.yaml
@@ -4,11 +4,9 @@ on:
   push:
     branches:
     - master
-    - 5.x
   pull_request:
     branches:
     - master
-    - 5.x
   schedule:
     - cron: '0 2 * * 1' # At 02:00 on Monday
 
@@ -21,31 +19,25 @@ jobs:
     timeout-minutes: 15
     strategy:
       matrix:
-        node-version: [10, 12, 14, 16, 17, 18]
+        node-version: [14, 16, 18, 19]
         mongodb-version: [4.4]
       fail-fast: false
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 # tag=v3.5.1
         with:
           node-version: ${{ matrix.node-version }}
       - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.8.0
+        uses: supercharge/mongodb-github-action@538a4d2a1041920c47630172445cb688592d6e51 # tag=1.8.0
         with:
           mongodb-version: ${{ matrix.mongodb-version }}
       - name: Bootstrap project
         run: npm ci --ignore-scripts
-      - name: Update NPM (Node.js v10)
-        if: matrix.node-version == 10
-        run: npm install --global npm@7
-      - name: Update NPM
-        if: matrix.node-version != 10
-        run: npm install --global npm@8
       - name: Run tests
-        run: npm test --ignore-scripts
+        run: npm test
       - name: Publish coverage report to Coveralls
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057 # tag=v1.1.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           flag-name: run-${{ matrix.os }}-node@${{ matrix.node-version }}
@@ -58,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Coveralls finished
-      uses: coverallsapp/github-action@master
+      uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057 # tag=v1.1.3
       with:
         github-token: ${{ secrets.github_token }}
         parallel-finished: true
@@ -67,9 +59,9 @@ jobs:
     name: Code Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
       - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 # tag=v3.5.1
         with:
           node-version: 16
       - name: Bootstrap project
@@ -81,17 +73,23 @@ jobs:
     name: Commit Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with:
           fetch-depth: 0
       - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 # tag=v3.5.1
         with:
           node-version: 16
       - name: Bootstrap project
         run: npm ci --ignore-scripts
       - name: Verify commit linting
-        run: npx --no-install commitlint --from origin/master --to HEAD --verbose
+        run: |
+          npx
+            --no-install
+            commitlint
+              --from=origin/master
+              --to=HEAD
+              --verbose
 
   codeql:
     name: CodeQL
@@ -101,13 +99,13 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@cc7986c02bac29104a72998e67239bb5ee2ee110 # tag=v2.1.28
       with:
         languages: 'javascript'
         config-file: ./.github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@cc7986c02bac29104a72998e67239bb5ee2ee110 # tag=v2.1.28
diff --git a/renovate.json b/renovate.json
index 1258baeb1..ed3c2adf5 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,6 +2,10 @@
   "extends": [
     "github>loopbackio/cicd//shared-configs/renovate/base"
   ],
-  "baseBranches": ["master", "5.x"]
+  "baseBranches": [
+    "master",
+    "6.x",
+    "5.x"
+  ]
 }