Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
68e930a
chore: dep update
willfarrell May 10, 2026
35d302a
chore: dep update
willfarrell May 13, 2026
eb626f5
chore: dep update
willfarrell May 13, 2026
3ee4cb2
ci: improve coverage
willfarrell May 22, 2026
c5c1a06
Merge branch 'main' into develop
willfarrell May 22, 2026
10c8a98
test: add in mutations
willfarrell May 31, 2026
75f016e
feat: add in new service streams
willfarrell May 31, 2026
b81d07b
test: improve test coverage
willfarrell May 31, 2026
fc2e7cf
test: improve coverage
willfarrell Jun 1, 2026
5e7cd0b
fix: pattern
willfarrell Jun 1, 2026
6b37905
chore: clean up
willfarrell Jun 1, 2026
4e6d110
ci: project name
willfarrell Jun 1, 2026
c814dc6
Merge branch 'main' into develop
willfarrell Jun 1, 2026
39aa1d8
chore: dep update
willfarrell Jun 12, 2026
d259b29
fix: pipe leaking upstream on error
willfarrell Jun 12, 2026
0b0055a
fix: perf improvements
willfarrell Jun 12, 2026
c83b469
chore: dep update
willfarrell Jun 15, 2026
1f44d85
fix: perf improvement
willfarrell Jun 15, 2026
fe279d4
Merge branch 'main' into develop
willfarrell Jun 15, 2026
74f0971
feat: add in new batch processing streams
willfarrell Jun 15, 2026
aea233c
chore: version bump
willfarrell Jun 15, 2026
dafb3ab
test: impvoe coverage
willfarrell Jun 15, 2026
2aa7ee4
chore: dep update
willfarrell Jun 15, 2026
973c402
chore: dep update
willfarrell Jun 15, 2026
69b3e34
chore: dep update
willfarrell Jun 15, 2026
68b36fd
Merge branch 'main' into develop
willfarrell Jul 11, 2026
98562c7
feat: update tardisec config
willfarrell Jul 11, 2026
c8d5b10
Merge branch 'main' into develop
willfarrell Jul 11, 2026
5135dbb
fix: clean up headers
willfarrell Jul 11, 2026
4dd0fd9
chore: dep update
willfarrell Jul 11, 2026
f0a574c
chore: version bump
willfarrell Jul 11, 2026
58a5795
ci: simplify dep update
willfarrell Jul 11, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 4 additions & 11 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,16 @@ updates:
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 14
groups:
everything:
patterns:
- "*"
- package-ecosystem: npm
target-branch: develop
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 15
groups:
dev-dependencies:
dependency-type: "development"
update-types:
- "minor"
- "patch"
prod-dependencies:
dependency-type: "production"
update-types:
- "patch"
default-days: 14
6 changes: 4 additions & 2 deletions .github/package.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
{
"name": "@datastream/github-workflows",
"version": "0.5.0",
"version": "0.6.1",
"private": true,
"type": "module",
"engines": {
"node": ">=24.0"
"node": ">=24"
},
"engineStrict": true,
"devDependencies": {
"license-check-and-add": "4.0.5",
"lockfile-lint": "5.0.0"
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/ossf-scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
Expand All @@ -32,6 +33,11 @@ jobs:
# actions: read

steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: "Checkout code"
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
Expand Down
58 changes: 49 additions & 9 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,30 @@ env:
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false

jobs:
build:
name: Build
if: ${{ github.event.pull_request.merged && github.event.pull_request.head.repo.full_name == github.repository }}
if: ${{ github.event.pull_request.merged }}
runs-on: ubuntu-latest

permissions:
contents: read
id-token: write # actions/attest-build-provenance
attestations: write # actions/attest-build-provenance
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
Expand All @@ -35,23 +46,27 @@ jobs:
run: |
tag=$(npm pkg get version | xargs)
echo "tag=${tag}" >> "$GITHUB_ENV"
echo "prerelease=$([ ${tag##*-*} ] && echo false || echo true)" >> "$GITHUB_ENV"
echo "prerelease=$([ "${tag##*-*}" ] && echo false || echo true)" >> "$GITHUB_ENV"
- name: Install dependencies
run: |
npm ci --ignore-scripts
- name: Verify dependency signatures
run: |
npm audit signatures
- name: Build
run: |
npm run build --if-present
- name: Pack
id: pack
run: |
mapfile -t args < <(npm query '.workspace:not([private])' | jq -r '.[] | "--workspace", .location')
{
echo "packages<<EOF"
npm pack --workspaces --json
npm pack "${args[@]}" --json
echo EOF
} >> "$GITHUB_OUTPUT"
- name: Build Attestations
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: |
**/*.tgz
Expand All @@ -74,18 +89,23 @@ jobs:
permissions:
contents: write # softprops/action-gh-release
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache configured (no `cache:` input); reconsider if caching is added
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Download artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # 8.0.1
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.build.outputs.tag }}
- name: Release
# Replaces actions/create-release & actions/upload-release-asset (deprecated)
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 # zizmor: ignore[superfluous-actions] prefer maintained action over inline `gh release` script
with:
draft: true
prerelease: ${{ needs.build.outputs.prerelease }}
Expand All @@ -103,19 +123,39 @@ jobs:
needs: release
runs-on: ubuntu-latest

environment: npm-publish

permissions:
contents: read
id-token: write # npm publish
attestations: read # gh attestation verify
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
registry.npmjs.org:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
github.com:443
api.github.com:443
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
- name: Download artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # 8.0.1
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.release.outputs.tag }}
- name: Verify build provenance attestation
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
find . -name '*.tgz' -print -exec gh attestation verify {} --repo ${{ github.repository }} \;
- name: npm publish (next)
if: ${{ needs.release.outputs.prerelease == 'true' }}
run: |
Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/test-dast.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Tests (dast)
on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
NODE_VERSION: 24.x

Expand All @@ -13,10 +17,18 @@ jobs:
fuzz:
name: Tests (fuzz)
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/test-dco.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,23 @@ name: Tests (dco)
on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
dco:
name: Tests (dco)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Check for Developer Certificate of Origin (DCO) compliance
uses: KineticCafe/actions-dco@1da04282bbf757dab7d92a5c8535dbfb8113da5c # v3.1.0
14 changes: 13 additions & 1 deletion .github/workflows/test-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Tests (lint)
on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
NODE_VERSION: 24.x

Expand All @@ -13,10 +17,18 @@ jobs:
lint:
name: Tests (lint)
runs-on: ubuntu-latest
timeout-minutes: 10

steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
Expand Down
74 changes: 74 additions & 0 deletions .github/workflows/test-mutation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Tests (mutation)

on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
NODE_VERSION: 24.x

permissions:
contents: read

jobs:
setup:
name: List packages
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
packages: ${{ steps.list.outputs.packages }}
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: List packages
id: list
run: |
echo "packages=$(find packages -maxdepth 1 -mindepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> "$GITHUB_OUTPUT"

mutation:
name: Tests (mutation)
needs: setup
runs-on: ubuntu-latest
timeout-minutes: 45
strategy:
fail-fast: false
matrix:
package: ${{ fromJson(needs.setup.outputs.packages) }}

steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ env.NODE_VERSION }}
registry-url: https://registry.npmjs.org
cache: npm
- name: Install dependencies
run: |
npm ci --ignore-scripts
- name: Build
run: |
npm run build --if-present
- name: Mutation tests
env:
MUTATE_PACKAGE: ${{ matrix.package }}
run: |
npx stryker run
14 changes: 13 additions & 1 deletion .github/workflows/test-perf.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Tests (perf)
on:
pull_request:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
NODE_VERSION: 24.x

Expand All @@ -13,10 +17,18 @@ jobs:
unit:
name: Tests (perf)
runs-on: ubuntu-latest
timeout-minutes: 30

steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
disable-telemetry: true
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
Expand Down
Loading
Loading