Skip to content

new_audit: ensure clickjacking mitigation through XFO or CSP #12603

new_audit: ensure clickjacking mitigation through XFO or CSP

new_audit: ensure clickjacking mitigation through XFO or CSP #12603

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request: # run on all PRs, not just PRs to a particular branch
env:
PUPPETEER_SKIP_DOWNLOAD: 1
jobs:
# `basics` includes all non-smoke and non-unit CI
basics:
runs-on: ubuntu-latest
env:
CHROME_PATH: ${{ github.workspace }}/.tmp/chrome-tot/chrome
FORCE_COLOR: true
# A few steps are duplicated across all jobs. Can be done better when this feature lands:
# https://github.community/t/reusing-sharing-inheriting-steps-between-jobs-declarations/16851
# https://github.com/actions/runner/issues/438
steps:
- name: git clone
uses: actions/checkout@v4
with:
fetch-depth: 100
- run: bash core/scripts/github-actions-commit-range.sh
env:
GITHUB_CONTEXT_PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_CONTEXT_BASE_SHA: ${{ github.event.before }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: 18.x
- run: yarn install --frozen-lockfile --network-timeout 1000000
- run: yarn type-check
- run: yarn build-all
# Since Ubuntu 23, dev builds of Chromium need this.
# https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
- run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
# Run pptr tests using ToT Chrome instead of stable default.
- name: Install Chrome ToT
run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
- name: yarn test-clients
run: bash $GITHUB_WORKSPACE/.github/scripts/test-retry.sh yarn test-clients
- name: yarn test-docs
run: yarn test-docs
- name: yarn test-treemap
run: bash $GITHUB_WORKSPACE/.github/scripts/test-retry.sh yarn test-treemap
- run: yarn diff:sample-json
- run: yarn diff:flow-sample-json
- run: yarn lint
- run: yarn test-lantern
- run: yarn test-legacy-javascript
- run: yarn i18n:checks
- run: yarn dogfood-lhci
# Fail if any changes were written to any source files or generated untracked files (ex, from: build/build-cdt-lib.js).
- run: git add -A && git diff --cached --exit-code
# buildtracker needs history and a common merge commit.
- name: Fixup git history (for buildtracker)
run: bash $GITHUB_WORKSPACE/.github/scripts/git-get-shared-history.sh
env:
# https://buildtracker.dev/docs/guides/github-actions#configuration
BT_API_AUTH_TOKEN: ${{ secrets.BT_API_AUTH_TOKEN }}
- name: Store in buildtracker
# TODO(paulirish): Don't allow this to fail the build. https://github.com/paularmstrong/build-tracker/issues/200
run: yarn bt-cli upload-build || true
env:
# https://buildtracker.dev/docs/guides/github-actions#configuration
BT_API_AUTH_TOKEN: ${{ secrets.BT_API_AUTH_TOKEN }}
- name: Upload dist
uses: actions/upload-artifact@v4
with:
name: dist
path: dist/