@ckeditor/ckeditor5-dev-ci 54.6.0 → 54.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +8 -4
  2. package/bin/circle-workflow-notifier.js +3 -2
  3. package/bin/trigger-snyk-scan.js +19 -4
  4. package/lib/process-job-statuses.js +6 -1
  5. package/lib/run-snyk-command.js +7 -2
  6. package/lib/utils/is-workflow-finished.js +2 -0
  7. package/package.json +1 -1
package/README.md CHANGED
@@ -132,21 +132,25 @@ These commands accept a mix of environment variables and command line arguments.
132
132
  - ⚙️ **`ckeditor5-dev-ci-trigger-snyk-scan`**
133
133
 
134
134
  Publishes Snyk code and dependency snapshots for the current branch.
135
- It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test --report` and `snyk monitor --all-projects --detection-depth=2`.
135
+ It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test` and `snyk monitor` commands.
136
136
 
137
137
  **Environment variables:**
138
138
  - `SNYK_TOKEN` — Snyk token used for authentication.
139
+ - `DEBUG` — *(Optional)* When set, appends `-d` to `snyk code test` and `snyk monitor` for verbose output, and removes `--silent` from the `pnpm` invocation.
139
140
 
140
141
  **CircleCI-provided variables:**
141
142
  - `CIRCLE_BRANCH` — Git branch used as Snyk's `target-reference`.
142
143
 
143
144
  **Parameters:**
145
+ - `--depth` — *(Optional)* Detection depth passed to `snyk monitor` as `--detection-depth`. Defaults to `2`.
146
+ - `--exclude` — *(Optional, repeatable)* Additional directory or file name to exclude from Snyk's dependency snapshot. Use multiple times, for example `--exclude=build --exclude=dist`. The provided values are **merged** with the built-in defaults (`external`, `tests`, `node_modules`, `release`, `scripts`).
144
147
  - `--organization` — Snyk organization ID or slug.
145
148
 
146
149
  **Behavior:**
147
- - Limits dependency snapshot detection to the repository root and `packages/*`, so test fixtures and deeper nested manifests are ignored.
148
- - Accepts exit code `1` from `snyk code test --report`, so code snapshots are still published when vulnerabilities are found.
149
- - Requires exit code `0` from `snyk monitor --all-projects`, because any other code means the dependency snapshot was not created.
150
+ - Always excludes `external`, `tests`, `node_modules`, `release` and `scripts` from dependency snapshot detection. Any paths provided via `--exclude` are merged with these defaults (duplicates are ignored).
151
+ - Passes `--detection-depth` (default: `2`) to `snyk monitor` to limit how deep Snyk scans for manifest files, which avoids performance issues caused by deeply nested `node_modules` trees.
152
+ - Accepts exit code `1` from `snyk code test`, so code snapshots are still published when vulnerabilities are found.
153
+ - Requires exit code `0` from `snyk monitor`, because any other code means the dependency snapshot was not created.
150
154
 
151
155
  ## Changelog
152
156
 
package/bin/circle-workflow-notifier.js CHANGED
@@ -112,8 +112,9 @@ async function waitForOtherJobsAndSendNotification() {
112
112
  return waitForOtherJobsAndSendNotification();
113
113
  }
114
114
 
115
- // If any ignored job failed, all of its children will be marked as 'failed_parent', and thus will not trigger this check.
116
- const anyJobsFailed = jobs.some( job => job.status === 'failed' );
115
+ // If any ignored job failed or was canceled, all of its children will be marked as
116
+ // 'failed_parent', and thus will not trigger this check.
117
+ const anyJobsFailed = jobs.some( job => job.status === 'failed' || job.status === 'canceled' );
117
118
 
118
119
  if ( anyJobsFailed ) {
119
120
  return execSync( task, { stdio: 'inherit' } );
package/bin/trigger-snyk-scan.js CHANGED
@@ -9,12 +9,22 @@ import { parseArgs } from 'node:util';
9
9
  import runSnykCommand from '../lib/run-snyk-command.js';
10
10
 
11
11
  const SNYK_ENDPOINT = 'https://api.eu.snyk.io';
12
+ const DEFAULT_EXCLUDE = [ 'node_modules', 'external', 'release', 'scripts', 'tests' ];
12
13
 
13
14
  try {
14
- const { CIRCLE_BRANCH, SNYK_TOKEN } = process.env;
15
+ const { CIRCLE_BRANCH, SNYK_TOKEN, DEBUG } = process.env;
15
16
 
16
17
  const { values } = parseArgs( {
17
18
  options: {
19
+ depth: {
20
+ default: '2',
21
+ type: 'string'
22
+ },
23
+ exclude: {
24
+ default: [],
25
+ multiple: true,
26
+ type: 'string'
27
+ },
18
28
  organization: {
19
29
  type: 'string'
20
30
  }
@@ -34,6 +44,8 @@ try {
34
44
  throw new Error( 'Missing environment variable: CIRCLE_BRANCH' );
35
45
  }
36
46
 
47
+ const exclude = [ ...new Set( [ ...DEFAULT_EXCLUDE, ...values.exclude ] ) ];
48
+
37
49
  await runSnykCommand( [ 'config', 'set', `endpoint=${ SNYK_ENDPOINT }` ] );
38
50
  await runSnykCommand( [ 'config', 'set', `org=${ values.organization }` ] );
39
51
 
@@ -43,7 +55,8 @@ try {
43
55
  'test',
44
56
  '--report',
45
57
  '--project-name=Code analysis',
46
- `--target-reference=${ CIRCLE_BRANCH }`
58
+ `--target-reference=${ CIRCLE_BRANCH }`,
59
+ ...( DEBUG ? [ '-d' ] : [] )
47
60
  ],
48
61
 
49
62
  /**
@@ -57,8 +70,10 @@ try {
57
70
  [
58
71
  'monitor',
59
72
  '--all-projects',
60
- '--detection-depth=2',
61
- `--target-reference=${ CIRCLE_BRANCH }`
73
+ `--exclude=${ exclude.join( ',' ) }`,
74
+ `--detection-depth=${ values.depth }`,
75
+ `--target-reference=${ CIRCLE_BRANCH }`,
76
+ ...( DEBUG ? [ '-d' ] : [] )
62
77
  ],
63
78
 
64
79
  /**
package/lib/process-job-statuses.js CHANGED
@@ -64,6 +64,11 @@ function isJobFailed( job ) {
64
64
  return true;
65
65
  }
66
66
 
67
+ // See: https://github.com/ckeditor/ckeditor5/issues/19978.
68
+ if ( job.status === 'canceled' ) {
69
+ return true;
70
+ }
71
+
67
72
  if ( job.status === 'failed_parent' ) {
68
73
  return true;
69
74
  }
@@ -85,7 +90,7 @@ function clone( obj ) {
85
90
  *
86
91
  * @property {string} id
87
92
  *
88
- * @property {'blocked'|'running'|'failed'|'failed_parent'|'success'} status
93
+ * @property {'blocked'|'running'|'failed'|'canceled'|'failed_parent'|'success'|'skipped'} status
89
94
  *
90
95
  * @property {Array.<string>} dependencies
91
96
  */
package/lib/run-snyk-command.js CHANGED
@@ -3,6 +3,7 @@
3
3
  * For licensing, see LICENSE.md.
4
4
  */
5
5
 
6
+ import path from 'node:path';
6
7
  import { spawn } from 'node:child_process';
7
8
 
8
9
  /**
@@ -14,10 +15,14 @@ import { spawn } from 'node:child_process';
14
15
  * @returns {Promise<void>}
15
16
  */
16
17
  export default function runSnykCommand( snykArguments, allowedExitCodes = [ 0 ] ) {
18
+ const snykExecutablePath = path.resolve( import.meta.dirname, '..', 'node_modules', '.bin', 'snyk' );
19
+ const pnpmFlags = process.env.DEBUG ? [] : [ '--silent' ];
20
+
17
21
  return new Promise( ( resolve, reject ) => {
18
- const childProcess = spawn( 'pnpm', [ '--silent', 'exec', 'snyk', ...snykArguments ], {
22
+ const childProcess = spawn( 'pnpm', [ ...pnpmFlags, 'exec', snykExecutablePath, ...snykArguments ], {
19
23
  cwd: process.cwd(),
20
- stdio: 'inherit'
24
+ stdio: 'inherit',
25
+ shell: process.platform === 'win32'
21
26
  } );
22
27
 
23
28
  childProcess.on( 'error', reject );
package/lib/utils/is-workflow-finished.js CHANGED
@@ -6,6 +6,8 @@
6
6
  const FINISHED_STATUSES = [
7
7
  'success',
8
8
  'failed',
9
+ // See: https://github.com/ckeditor/ckeditor5/issues/19978.
10
+ 'canceled',
9
11
  'failed_parent',
10
12
  // See: https://github.com/ckeditor/ckeditor5/issues/18359.
11
13
  'skipped'
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ckeditor/ckeditor5-dev-ci",
3
- "version": "54.6.0",
3
+ "version": "54.7.0",
4
4
  "description": "Utils used on various Continuous Integration services.",
5
5
  "keywords": [],
6
6
  "author": "CKSource (http://cksource.com/)",