oidc-client-js
oidc-client-js copied to clipboard
IdentityModel
Add CircleCI building
This will allow all PR's to be automatically checked against current (as of July of 2019) LTS versions of node. Currently this would be node 8, 10, and 12 (Node 12 becomes LTS on 2019-10-22)
The following screenshot is from my fork once the circle files contained in this PR were applied and I authorized circle access to my public git repositories.
I've also added a command for npm audit --audit-level=moderate - that way you get quick feedback and PR builds will fail that commit any security vuln (or if new ones were discovered, it will require each PR to also always fix security vuln). Seems like something that might be nice to enforce on a library that deals with OAuth2 tokens and OIDC tokens carrying PII data 😂
Please note, that if this PR is merged and circle is setup, then you will fail security audits until https://github.com/IdentityModel/oidc-client-js/pull/906 is merged since npm is going to install the exact versions defined in the lock file, which currently have vulnerabilities.
Can you give me more info into this service? I don't know about it, and I'm hesitant to add some external service that I need to upkeep in some way.
Absolutely! circle-ci is similar to Travis CI if you have used that one before as well. Both Circle and Travis offer free automated builds of open source projects. They integrate natively with GitHub and help lift the burden of OSS maintainers from knowing if a proposed PR is breaking any of your tests.
When you authorize Circle CI to your GitHub org, Circle is able to install webhooks on your git repos - whenever a PR (for instance) is opened on one of those repos, the webhook fires and Circle will run the build defined by the .circeci/config.yml in that projects repository. GitHub is then able to show you on the Pull Request if the build passed or failed.
This little PR just did the work for you so that every PR runs against node 8, 10, and 12 and verifies there are no security vulnerabilities. All you would have to do is authorize Circe CI to github, see the guide here: https://circleci.com/blog/setting-up-continuous-integration-with-github/.
TL;DR - if you merge this PR, then go to circle and sign-up with your GitHub account - you'll grant Circle access to GitHub via GitHubs OAuth mechanism and then you just have to add this oidc-client-js project within the circle console, and that should be it... if you ever don't care for it anymore, you can just revoke Circle's permissions inside of your github account. These files are only used by the circle service.
did almost the same for github actions in #1136 - matrix builds against multiple node versions are good idea through. and yeah: there are no external dependencies now, @brockallen
Hey Ryan -- Sorry for dragging my feet on this. What do you think of github actions instead? Would we still need CircleCI in addition to github actions?