Merge pull request #6738 from masslight/rzinger/otr-2103-rcm-ehr-pati… #3857
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint and Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop, "release/**"] | |
| env: | |
| SECRETS_REPOSITORY: ${{ vars.SECRETS_REPOSITORY }} # Secrets repository for configuration files | |
| TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | |
| TURBO_TEAM: ${{ vars.TURBO_TEAM }} | |
| jobs: | |
| lint-and-build: | |
| runs-on: ubuntu-latest-4-cores | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| statuses: write | |
| strategy: | |
| matrix: | |
| node-version: | |
| - "22" | |
| steps: | |
| - name: Install SSH Client | |
| uses: webfactory/ssh-agent@836c84ec59a0e7bc0eabc79988384eb567561ee2 # v0.7.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_OTTEHR_KEY }} | |
| - name: Checkout the main repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Cache turbo build setup | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: .turbo | |
| key: ${{ runner.os }}-turbo-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-turbo- | |
| - name: Set up Node.js environment | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: TruffleHog -- Check for secrets committed to the repository | |
| uses: trufflesecurity/trufflehog@af3e68261fa87568031f65161577cc2ebe1ca669 # v3.83.7 | |
| with: | |
| extra_args: --only-verified | |
| - name: Resolve secrets branch | |
| id: resolve-secrets | |
| uses: ./.github/actions/resolve-secrets-branch | |
| with: | |
| core-branch: ${{ github.head_ref || github.ref_name }} | |
| secrets-repository: ${{ env.SECRETS_REPOSITORY }} | |
| ssh-key: ${{ secrets.DEPLOY_OTTEHR_KEY }} | |
| token: ${{ github.token }} | |
| - name: Check out secrets repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: ${{ env.SECRETS_REPOSITORY }} | |
| ssh-key: ${{ secrets.DEPLOY_OTTEHR_KEY }} | |
| ref: ${{ steps.resolve-secrets.outputs.branch }} | |
| path: "secrets" | |
| - name: Populate and validate secrets | |
| uses: ./.github/actions/populate-secrets | |
| with: | |
| environment: local | |
| copy-test-config-files: true | |
| aws-deploy-role: ${{ vars.AWS_DEPLOY_ROLE }} | |
| pull-generated-config-from-terraform-state: true | |
| - name: Cache node modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| id: npm-cache | |
| with: | |
| path: | | |
| node_modules | |
| packages/*/node_modules | |
| apps/*/node_modules | |
| deploy/node_modules | |
| key: ${{ runner.os }}-npm-cache-${{ hashFiles('**/package-lock.json') }} | |
| restore-keys: | | |
| ${{ runner.os }}-npm-cache- | |
| - name: Install dependencies | |
| if: steps.npm-cache.outputs.cache-hit != 'true' | |
| run: npm ci | |
| - name: Check for skip build and lint | |
| if: contains(github.event.pull_request.body, '/skip-build-and-lint') | |
| run: echo "Build and lint skipped via /skip-build-and-lint command" | |
| - name: Build | |
| if: ${{ !contains(github.event.pull_request.body, '/skip-build-and-lint') }} | |
| run: npm run build | |
| env: | |
| NODE_OPTIONS: "--max-old-space-size=8192" | |
| - name: TruffleHog -- Check for secrets in bundles of publicly available code | |
| run: | | |
| docker run --rm -v .:/tmp -w /tmp \ | |
| ghcr.io/trufflesecurity/trufflehog:3.82.13 \ | |
| filesystem ./packages/test-utils/dist \ | |
| ./packages/utils/dist \ | |
| ./packages/ui-components/dist \ | |
| ./apps/intake/build/assets \ | |
| ./apps/ehr/build/assets \ | |
| --github-actions \ | |
| --only-verified \ | |
| --fail | |
| - name: Set GitHub Commit Status | |
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 | |
| if: always() | |
| with: | |
| script: | | |
| const success = '${{ job.status }}' === 'success'; | |
| await github.rest.repos.createCommitStatus({ | |
| ...context.repo, | |
| sha: context.sha, | |
| state: success ? 'success' : 'failure', | |
| context: 'CI / Tests', | |
| description: success ? 'Tests successful' : 'Tests failed' | |
| }); |