new_audit: ensure clickjacking mitigation through XFO or CSP #10987
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DevTools | |
on: | |
push: | |
branches: [main] | |
pull_request: # run on all PRs, not just PRs to a particular branch | |
env: | |
DEPOT_TOOLS_PATH: ${{ github.workspace }}/depot-tools | |
DEVTOOLS_PATH: ${{ github.workspace }}/devtools-frontend | |
PUPPETEER_SKIP_DOWNLOAD: 1 | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
env: | |
FORCE_COLOR: true | |
steps: | |
- name: Set $PATH | |
run: echo "$DEPOT_TOOLS_PATH" >> $GITHUB_PATH | |
- name: git clone | |
uses: actions/checkout@v4 | |
with: | |
path: lighthouse | |
- name: Use Node.js 18.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
- name: Generate cache hash | |
run: bash $GITHUB_WORKSPACE/lighthouse/.github/scripts/generate-devtools-hash.sh > cdt-test-hash.txt | |
- name: Set week of the year | |
run: echo "WEEK_OF_THE_YEAR=$(date +%V)" >> $GITHUB_ENV | |
# Caches are invalidated at least once a week, so that's the max time between testing | |
# with the latest dependencies. Any commit to the DevTools repo touching Lighthouse | |
# code will invalidate the cache sooner. | |
- name: Cache depot tools and devtools | |
id: devtools-cache | |
uses: actions/cache@v3 | |
with: | |
path: | | |
${{ env.DEPOT_TOOLS_PATH }} | |
${{ env.DEVTOOLS_PATH }} | |
${{ github.workspace }}/.gclient | |
${{ github.workspace }}/.gclient_entries | |
# This hash key changes: | |
# 1) every monday (so invalidates once a week) | |
# 2) every commit to CDT touching files important to Lighthouse web tests | |
# 3) every change to file in Lighthouse repo important to running these tests. | |
# | |
# The number is how many times this hash key was manually updated to break the cache. | |
key: ${{ runner.os }}-12-${{ env.WEEK_OF_THE_YEAR }}-${{ hashFiles('cdt-test-hash.txt') }} | |
restore-keys: ${{ runner.os }}-12 | |
- name: Set GHA_DEVTOOLS_CACHE_HIT | |
if: steps.devtools-cache.outputs.cache-hit == 'true' | |
run: echo "GHA_DEVTOOLS_CACHE_HIT=1" >> $GITHUB_ENV | |
- run: yarn --frozen-lockfile --network-timeout 1000000 | |
working-directory: ${{ github.workspace }}/lighthouse | |
- name: Download depot tools | |
run: bash $GITHUB_WORKSPACE/lighthouse/core/test/devtools-tests/download-depot-tools.sh | |
- name: Download DevTools Frontend | |
run: bash $GITHUB_WORKSPACE/lighthouse/core/test/devtools-tests/download-devtools.sh | |
- name: Roll Lighthouse + build DevTools | |
run: bash $GITHUB_WORKSPACE/lighthouse/core/test/devtools-tests/roll-devtools.sh | |
- name: Cache build artifacts | |
id: devtools-build-artifacts | |
uses: actions/cache@v3 | |
with: | |
path: | | |
${{ env.DEVTOOLS_PATH }} | |
${{ github.workspace }}/.gclient | |
${{ github.workspace }}/.gclient_entries | |
key: devtools-build-artifacts-${{ github.run_id }} | |
e2e: | |
needs: [build] | |
runs-on: ubuntu-latest | |
env: | |
FORCE_COLOR: true | |
steps: | |
- name: git clone | |
uses: actions/checkout@v4 | |
with: | |
path: lighthouse | |
- name: Use Node.js 18.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
- run: yarn --frozen-lockfile --network-timeout 1000000 | |
working-directory: ${{ github.workspace }}/lighthouse | |
- name: Set $PATH | |
run: echo "$DEPOT_TOOLS_PATH" >> $GITHUB_PATH | |
# For vpython. | |
- name: Download depot tools | |
run: bash $GITHUB_WORKSPACE/lighthouse/core/test/devtools-tests/download-depot-tools.sh | |
- name: Load build artifacts | |
id: devtools-build-artifacts | |
uses: actions/cache@v3 | |
with: | |
path: | | |
${{ env.DEVTOOLS_PATH }} | |
${{ github.workspace }}/.gclient | |
${{ github.workspace }}/.gclient_entries | |
key: devtools-build-artifacts-${{ github.run_id }} | |
- name: Run e2e tests | |
run: bash $GITHUB_WORKSPACE/lighthouse/core/test/devtools-tests/run-e2e-tests.sh | |
smoke: | |
needs: [build] | |
strategy: | |
matrix: | |
smoke-test-shard: [1, 2, 3] | |
# e.g. if set 1 fails, continue with set 2 anyway | |
fail-fast: false | |
runs-on: ubuntu-latest | |
env: | |
CHROME_PATH: ${{ github.workspace }}/lighthouse/.tmp/chrome-tot/chrome | |
FORCE_COLOR: true | |
name: DevTools smoke ${{ matrix.smoke-test-shard }}/${{ strategy.job-total }} | |
steps: | |
- name: git clone | |
uses: actions/checkout@v4 | |
with: | |
path: lighthouse | |
- name: Use Node.js 18.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18.x | |
- name: Load build artifacts | |
id: devtools-build-artifacts | |
uses: actions/cache@v3 | |
with: | |
path: | | |
${{ env.DEVTOOLS_PATH }} | |
${{ github.workspace }}/.gclient | |
${{ github.workspace }}/.gclient_entries | |
key: devtools-build-artifacts-${{ github.run_id }} | |
- run: yarn --frozen-lockfile --network-timeout 1000000 | |
working-directory: ${{ github.workspace }}/lighthouse | |
# This is only done because the import of `parseChromeFlags` in pptr-run-devtool.js triggers imports that eventually | |
# fail because of how report-assets.js reads generated files. | |
- run: yarn build-report | |
working-directory: ${{ github.workspace }}/lighthouse | |
- name: Install Chrome ToT | |
run: bash ${{ github.workspace }}/lighthouse/core/scripts/download-chrome.sh | |
- run: mkdir latest-run | |
working-directory: ${{ github.workspace }}/lighthouse | |
- name: yarn smoke --runner devtools | |
run: yarn smoke --runner devtools --shard=${{ matrix.smoke-test-shard }}/${{ strategy.job-total }} --jobs=3 --retries=2 --debug | |
working-directory: ${{ github.workspace }}/lighthouse | |
- name: Upload failures | |
if: failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Smokehouse (devtools smoke) | |
path: ${{ github.workspace }}/lighthouse/.tmp/smokehouse-failures/ |