BREAKING CHANGES in v1.0:
- node_version is now required (previously defaulted to 16)
- sonar_comment_token has been removed (ignored by SonarCloud)
- sonar_project_token has been renamed sonar_token
This action runs tests, dependent on triggers, optionally sending results and coverage to SonarCloud. Test and SonarCloud can be configured to comment on pull requests or stop failing workflows. Optional supply chain attack detection can be enabled to scan packages before installation.
Conditional triggers are used to determine whether tests need to be run. If triggers are matched, then the appropriate code has changed and should be tested. Tests always run if no triggers are provided. Untriggered runs do little other than report a success.
Only nodejs (JavaScript, TypeScript) is supported by this action. Please see our Java action or upcoming Python action as required.
- uses: bcgov/[email protected]
with:
### Required
# Commands to run tests
# Please configure your app to generate coverage (coverage/lcov.info)
commands: |
npm ci
npm run test:cov
# Project/app directory
dir: frontend
# Node.js version
# BREAKING CHANGE: previously defaulted to 16 (LTS)
node_version: "20"
### Typical / recommended
# Sonar arguments
# https://docs.sonarcloud.io/advanced-setup/analysis-parameters/
sonar_args: |
-Dsonar.exclusions=**/coverage/**,**/node_modules/**
-Dsonar.organization=bcgov-sonarcloud
-Dsonar.projectKey=bcgov_${{ github.repository }}
# Sonar token
# Available from sonarcloud.io or your organization administrator
# BCGov uses https://github.com/BCDevOps/devops-requests/issues/new/choose
# Provide an unpopulated token for pre-setup, section will be skipped
sonar_token: ${{ secrets.SONAR_TOKEN }}
# Bash array to diff for build triggering
# Optional, defaults to nothing, which forces a build
triggers: ('frontend/')
# Enable supply chain attack detection using @aikidosec/safe-chain
# Optional, defaults to false (opt-in only)
# Detects and blocks malicious packages during npm ci
supply_scan: false
### Usually a bad idea / not recommended
# Overrides the default branch to diff against
# Defaults to the default branch, usually `main`
diff_branch: ${{ github.event.repository.default_branch }}
# Repository to clone and process
# Useful for consuming other repos, like in testing
# Defaults to the current one
repository: ${{ github.repository }}
# Branch to clone and process
# Useful for consuming non-default branches, like in testing
# Defants to empty, cloning the default branch
branch: ""Run tests and provide results to SonarCloud. This is a full workflow that runs on pull requests, merge to main and workflow_dispatch. Use a GitHub Action secret to provide ${{ secrets.SONAR_TOKEN }}.
The specified triggers will be used to decide whether this job runs tests and analysis or just exits successfully.
This example also demonstrates enabling supply chain scanning, which adds an additional step to scan packages before installation.
Create or modify a GitHub workflow, like below. E.g. ./github/workflows/tests.yml
Note: Provide an unpopulated SONAR_TOKEN until one is provisioned. SonarCloud will only run once populated, allowing for pre-setup.
name: Test and Analyze
on:
pull_request:
push:
branches:
- main
paths-ignore:
- ".github/**"
- "**.md"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
name: Test and Analyze
runs-on: ubuntu-24.04
steps:
- uses: bcgov/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"
sonar_args: |
-Dsonar.exclusions=**/coverage/**,**/node_modules/**
-Dsonar.organization=bcgov-nr
-Dsonar.projectKey=bcgov-nr_action-test-and-analyse_frontend
sonar_token: ${{ secrets.SONAR_TOKEN }}
supply_scan: true
triggers: ('frontend/' 'charts/frontend')No triggers are provided so tests will always run. SonarCloud is skipped, supply chain scanning is skipped.
jobs:
tests:
name: Test and Analyze
runs-on: ubuntu-24.04
steps:
- uses: bcgov/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"Test and analyze projects in multiple directories in parallel. This time repository and branch are provided. Please note how secrets must be passed in to composite Actions using the secrets[matrix.variable] syntax.
jobs:
tests:
name: Test and Analyze
runs-on: ubuntu-24.04
strategy:
matrix:
dir: [backend, frontend]
include:
- dir: backend
token: SONAR_TOKEN_BACKEND
triggers: ('frontend/' 'charts/frontend')
- dir: frontend
token: SONAR_TOKEN_FRONTEND
triggers: ('backend/' 'charts/backend')
steps:
- uses: actions/checkout@v5
- uses: bcgov/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: ${{ matrix.dir }}
node_version: "20"
sonar_args: |
-Dsonar.exclusions=**/coverage/**,**/node_modules/**
-Dsonar.organization=bcgov-nr
-Dsonar.projectKey=bcgov-nr_action-test-and-analyse_${{ matrix.dir }}
sonar_token: ${{ secrets[matrix.token] }}
triggers: ${{ matrix.triggers }}
repository: bcgov/quickstart-openshift
branch: main| Output | Description |
|---|---|
| triggered | Whether the action was triggered based on path changes (true/false) |
Has the action been triggered by path changes? [true|false]
- id: test
uses: bcgov/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"
triggers: ('frontend/')
- if: steps.test.outputs.triggered == 'true'
run: echo "✅ Tests were triggered by path changes"
- if: steps.test.outputs.triggered == 'false'
run: echo "ℹ️ Tests were not triggered (no matching path changes)"SonarCloud project tokens are free, available from SonarCloud or your organization's aministrators.
For BC Government projects, please create an issue for our platform team.
After sign up, a token should be available from your project on the SonarCloud site. Multirepo projects (e.g. backend, frontend) will have multiple projects. Click Administration > Analysis Method > GitHub Actions (tutorial) to find yours.
E.g. https://sonarcloud.io/project/configuration?id={}&analysisMode=GitHubActions
This action supports optional supply chain attack detection using @aikidosec/safe-chain. When enabled, safe-chain wraps npm commands to scan packages before installation, protecting against malicious code, typosquats, and suspicious scripts.
This feature is opt-in only (default: false) to maintain minimal scope and avoid unexpected behavior.
Set supply_scan: true in your workflow:
- uses: bcgov/[email protected]
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"
supply_scan: trueWhen enabled, safe-chain will:
- Scan packages against Aikido's threat intelligence database
- Block known malicious packages and supply chain attacks (installation will fail if threats are detected)
- Protect against typosquatting and suspicious install scripts
No additional configuration or API tokens are required. The scanning happens automatically during npm ci and other package manager commands.
Please contribute your ideas! Issues and pull requests are appreciated.