@ckeditor/ckeditor5-dev-ci 54.5.0 → 54.6.1

package/README.md

@@ -129,6 +129,26 @@ These commands accept a mix of environment variables and command line arguments.
     Can be omitted if it matches `--slug`.
   - `--release-branch` — *(Optional)* Branch that leads the release process.
 
+- ⚙️ **`ckeditor5-dev-ci-trigger-snyk-scan`**
+
+  Publishes Snyk code and dependency snapshots for the current branch.
+  It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test --report` and `snyk monitor --all-projects --exclude=external,tests`.
+
+  **Environment variables:**
+  - `SNYK_TOKEN` — Snyk token used for authentication.
+
+  **CircleCI-provided variables:**
+  - `CIRCLE_BRANCH` — Git branch used as Snyk's `target-reference`.
+
+  **Parameters:**
+  - `--exclude` — *(Optional, repeatable)* Directory or file name passed to Snyk's `--exclude`. Use multiple times, for example `--exclude=external --exclude=tests`. Defaults to `external` and `tests`.
+  - `--organization` — Snyk organization ID or slug.
+
+  **Behavior:**
+  - Excludes directories and files named `external` and `tests` from dependency snapshot detection by default, and allows overriding that list with repeated `--exclude` flags.
+  - Accepts exit code `1` from `snyk code test --report`, so code snapshots are still published when vulnerabilities are found.
+  - Requires exit code `0` from `snyk monitor --all-projects`, because any other code means the dependency snapshot was not created.
+
 ## Changelog
 
 See the [`CHANGELOG.md`](https://github.com/ckeditor/ckeditor5-dev/blob/master/packages/ckeditor5-dev-ci/CHANGELOG.md) file.

package/bin/circle-workflow-notifier.js

@@ -112,8 +112,9 @@ async function waitForOtherJobsAndSendNotification() {
 		return waitForOtherJobsAndSendNotification();
 	}
 
-	// If any ignored job failed, all of its children will be marked as 'failed_parent', and thus will not trigger this check.
-	const anyJobsFailed = jobs.some( job => job.status === 'failed' );
+	// If any ignored job failed or was canceled, all of its children will be marked as
+	// 'failed_parent', and thus will not trigger this check.
+	const anyJobsFailed = jobs.some( job => job.status === 'failed' || job.status === 'canceled' );
 
 	if ( anyJobsFailed ) {
 		return execSync( task, { stdio: 'inherit' } );

package/bin/trigger-snyk-scan.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+
+/**
+ * @license Copyright (c) 2003-2026, CKSource Holding sp. z o.o. All rights reserved.
+ * For licensing, see LICENSE.md.
+ */
+
+import { parseArgs } from 'node:util';
+import runSnykCommand from '../lib/run-snyk-command.js';
+
+const SNYK_ENDPOINT = 'https://api.eu.snyk.io';
+
+try {
+	const { CIRCLE_BRANCH, SNYK_TOKEN } = process.env;
+
+	const { values } = parseArgs( {
+		options: {
+			exclude: {
+				default: [ 'external', 'tests' ],
+				multiple: true,
+				type: 'string'
+			},
+			organization: {
+				type: 'string'
+			}
+		},
+		strict: true
+	} );
+
+	if ( !values.organization ) {
+		throw new Error( 'Missing required argument: --organization' );
+	}
+
+	if ( !SNYK_TOKEN ) {
+		throw new Error( 'Missing environment variable: SNYK_TOKEN' );
+	}
+
+	if ( !CIRCLE_BRANCH ) {
+		throw new Error( 'Missing environment variable: CIRCLE_BRANCH' );
+	}
+
+	await runSnykCommand( [ 'config', 'set', `endpoint=${ SNYK_ENDPOINT }` ] );
+	await runSnykCommand( [ 'config', 'set', `org=${ values.organization }` ] );
+
+	await runSnykCommand(
+		[
+			'code',
+			'test',
+			'--report',
+			'--project-name=Code analysis',
+			`--target-reference=${ CIRCLE_BRANCH }`
+		],
+
+		/**
+		 * Snyk CLI returns exit code 1 when vulnerabilities are found. Since we want to publish
+		 * the snapshot even if there are some vulnerabilities, we need to allow exit code 1.
+		 */
+		[ 0, 1 ]
+	);
+
+	await runSnykCommand(
+		[
+			'monitor',
+			'--all-projects',
+			`--exclude=${ values.exclude.join( ',' ) }`,
+			`--target-reference=${ CIRCLE_BRANCH }`
+		],
+
+		/**
+		 * Unlike `snyk code test --report`, `snyk monitor` reports a successful snapshot upload
+		 * only with exit code 0. Any other exit code means the dependency snapshot was not created.
+		 */
+		[ 0 ]
+	);
+} catch ( error ) {
+	console.error( error );
+	process.exitCode = 1;
+}

package/lib/process-job-statuses.js

@@ -64,6 +64,11 @@ function isJobFailed( job ) {
 		return true;
 	}
 
+	// See: https://github.com/ckeditor/ckeditor5/issues/19978.
+	if ( job.status === 'canceled' ) {
+		return true;
+	}
+
 	if ( job.status === 'failed_parent' ) {
 		return true;
 	}
@@ -85,7 +90,7 @@ function clone( obj ) {
  *
  * @property {string} id
  *
- * @property {'blocked'|'running'|'failed'|'failed_parent'|'success'} status
+ * @property {'blocked'|'running'|'failed'|'canceled'|'failed_parent'|'success'|'skipped'} status
  *
  * @property {Array.<string>} dependencies
  */

package/lib/run-snyk-command.js

@@ -0,0 +1,34 @@
+/**
+ * @license Copyright (c) 2003-2026, CKSource Holding sp. z o.o. All rights reserved.
+ * For licensing, see LICENSE.md.
+ */
+
+import { spawn } from 'node:child_process';
+
+/**
+ * Runs the Snyk CLI through `pnpm exec` and resolves only for explicitly allowed exit codes.
+ * This lets callers tolerate Snyk's non-zero "findings present" codes when a snapshot should still be published.
+ *
+ * @param {Array<string>} snykArguments CLI arguments passed to `snyk`.
+ * @param {Array<number>} [allowedExitCodes=[ 0 ]] Exit codes treated as successful.
+ * @returns {Promise<void>}
+ */
+export default function runSnykCommand( snykArguments, allowedExitCodes = [ 0 ] ) {
+	return new Promise( ( resolve, reject ) => {
+		const childProcess = spawn( 'pnpm', [ '--silent', 'exec', 'snyk', ...snykArguments ], {
+			cwd: process.cwd(),
+			stdio: 'inherit'
+		} );
+
+		childProcess.on( 'error', reject );
+		childProcess.on( 'close', exitCode => {
+			if ( allowedExitCodes.includes( exitCode ) ) {
+				resolve();
+
+				return;
+			}
+
+			reject( new Error( `Snyk command failed with exit code ${ exitCode }.` ) );
+		} );
+	} );
+}

package/lib/utils/is-workflow-finished.js

@@ -6,6 +6,8 @@
 const FINISHED_STATUSES = [
 	'success',
 	'failed',
+	// See: https://github.com/ckeditor/ckeditor5/issues/19978.
+	'canceled',
 	'failed_parent',
 	// See: https://github.com/ckeditor/ckeditor5/issues/18359.
 	'skipped'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ckeditor/ckeditor5-dev-ci",
-  "version": "54.5.0",
+  "version": "54.6.1",
   "description": "Utils used on various Continuous Integration services.",
   "keywords": [],
   "author": "CKSource (http://cksource.com/)",
@@ -23,16 +23,18 @@
     "lib"
   ],
   "bin": {
-    "ckeditor5-dev-ci-notify-circle-status": "bin/notify-circle-status.js",
+    "ckeditor5-dev-ci-circle-enable-auto-cancel-builds": "bin/circle-enable-auto-cancel-builds.js",
+    "ckeditor5-dev-ci-circle-disable-auto-cancel-builds": "bin/circle-disable-auto-cancel-builds.js",
     "ckeditor5-dev-ci-circle-workflow-notifier": "bin/circle-workflow-notifier.js",
     "ckeditor5-dev-ci-is-job-triggered-by-member": "bin/is-job-triggered-by-member.js",
     "ckeditor5-dev-ci-is-workflow-restarted": "bin/is-workflow-restarted.js",
+    "ckeditor5-dev-ci-notify-circle-status": "bin/notify-circle-status.js",
     "ckeditor5-dev-ci-trigger-circle-build": "bin/trigger-circle-build.js",
-    "ckeditor5-dev-ci-circle-disable-auto-cancel-builds": "bin/circle-disable-auto-cancel-builds.js",
-    "ckeditor5-dev-ci-circle-enable-auto-cancel-builds": "bin/circle-enable-auto-cancel-builds.js"
+    "ckeditor5-dev-ci-trigger-snyk-scan": "bin/trigger-snyk-scan.js"
   },
   "dependencies": {
     "@octokit/rest": "^22.0.0",
-    "slack-notify": "^2.0.6"
+    "slack-notify": "^2.0.6",
+    "snyk": "^1.1303.1"
   }
 }