on: push: branches: - main pull_request: workflow_dispatch: inputs: ref: description: 'The branch, tag or SHA to checkout' default: main type: string jobs: snyk-security: name: SNYK security analysis uses: alphagov/govuk-infrastructure/.github/workflows/snyk-security.yml@main with: skip_sca: true secrets: inherit permissions: contents: read security-events: write actions: read codeql-sast: name: CodeQL SAST scan uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main permissions: security-events: write dependency-review: name: Dependency Review scan uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main # This matrix job runs the test suite against multiple Ruby versions test_matrix: strategy: fail-fast: false matrix: ruby: [3.1, 3.2, 3.3] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} - name: Clone content-schemas uses: actions/checkout@v4 with: repository: alphagov/publishing-api ref: main path: tmp/publishing-api - uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true - run: bundle exec rake env: GOVUK_CONTENT_SCHEMAS_PATH: tmp/publishing-api/content_schemas # Branch protection rules cannot directly depend on status checks from matrix jobs. # So instead we define `test` as a dummy job which only runs after the preceding `test_matrix` checks have passed. # Solution inspired by: https://github.community/t/status-check-for-a-matrix-jobs/127354/3 test: needs: test_matrix runs-on: ubuntu-latest steps: - run: echo "All matrix tests have passed 🚀" publish: needs: test if: ${{ github.ref == 'refs/heads/main' }} permissions: contents: write uses: alphagov/govuk-infrastructure/.github/workflows/publish-rubygem.yml@main secrets: GEM_HOST_API_KEY: ${{ secrets.ALPHAGOV_RUBYGEMS_API_KEY }}