ci: add PR labels and combine workflows (#407)

* Automatically labels PRs based on change paths to make it easier to see what is in scope of a PR at a glance
* Merges dependency security scanning into single CI workflows for Rust/TS changes

.github/labeler.yml

@@ -0,0 +1,15 @@
+program:
+- 'programs/**'
+client:
+- 'ts/client/**'
+liquidator:
+- 'liquidator/**'
+keeper:
+- 'keeper/**'
+ci:
+- '.github/workflows/**'
+dependency:
+- '*.lock'
+documentation:
+- '*.md'
+- '**/LICENCE'

.github/workflows/ci-code-review-rust.yml

@@ -7,7 +7,8 @@ on:
             'keeper/**',
             'lib/**',
             'liquidator/**',
-            'anchor/cli/**']
+            'anchor/cli/**',
+            'Cargo.lock']
   pull_request: 
     branches: ['main', 'dev']
     paths: ['cli/**',
@@ -16,7 +17,8 @@ on:
             'keeper/**',
             'lib/**',
             'liquidator/**',
-            'anchor/cli/**']
+            'anchor/cli/**',
+            'Cargo.lock']
   workflow_dispatch: # Pick branch manually
 
 env:
@@ -101,12 +103,48 @@ jobs:
         with:
           name: raw-test-bpf
           path: raw-test-bpf.log
+  
+  sca:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
 
+      # Report all vulnerabilities in security tab
+      - name: Report on all vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'Cargo.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      # Fail the job on critical vulnerabiliies with fix available
+      - name: Fail on critical vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'Cargo.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'table'
+          severity: 'CRITICAL'
+          exit-code: '1'
+
+      - name: Upload output
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+  
   # Download logs and process them
   process-logs:
     name: Process logs
     runs-on: ubuntu-latest
-    needs: [format, clippy, test]
+    needs: ['test']
     steps:
       - name: Download raw log
         uses: actions/download-artifact@v3

.github/workflows/ci-code-review-ts.yml

@@ -3,9 +3,9 @@ name: Code Review - TypeScript
 on:
   pull_request: 
     branches: ['main', 'dev']
-    paths: ['ts/**']
+    paths: ['ts/**', 'yarn.lock']
   push:
-    paths: ['ts/**']
+    paths: ['ts/**', 'yarn.lock']
 
 jobs:
   format:
@@ -46,8 +46,8 @@ jobs:
     - name: Lint
       run: yarn lint
 
-  unit-test:
-    name: Unit Test
+  test:
+    name: Test
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
@@ -65,7 +65,7 @@ jobs:
     - name: Run Test
       run: yarn test
 
-  semgrep:
+  sast:
     name: Security Scan
     runs-on: ubuntu-latest
     container:
@@ -85,3 +85,60 @@ jobs:
         if: always()
         with:
           sarif_file: semgrep-results.sarif
+  
+  sca:
+    name: Dependency Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Report all vulnerabilities in security tab
+      - name: Report on all vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'yarn.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      # Fail the job on critical vulnerabiliies with fix available
+      - name: Fail on critical vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: 'yarn.lock'
+          ignore-unfixed: true
+          hide-progress: true
+          format: 'table'
+          severity: 'CRITICAL'
+          exit-code: '1'
+
+      - name: Upload output
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+  
+  yarn-pass:
+      name: Yarn tests pass
+      needs: ['format', 'lint', 'test']
+      runs-on: ubuntu-latest
+      steps:
+        - run: echo ok
+
+  security-pass:
+      name: Security tests pass
+      needs: ['sca', 'sast']
+      runs-on: ubuntu-latest
+      steps:
+        - run: echo ok
+
+  all-pass:
+      name: All tests pass 🚀
+      needs: ['yarn-pass', 'security-pass']
+      runs-on: ubuntu-latest
+      steps:
+        - run: echo ok

.github/workflows/ci-dependency-scan-cargo.yml

@@ -1,59 +0,0 @@
-name: Dependency Security Scan - Cargo
-
-on:
-  pull_request: 
-    branches: ['main', 'dev']
-    paths: ['cli/**',
-            'client/**',
-            'programs/**',
-            'keeper/**',
-            'lib/**',
-            'liquidator/**',
-            'anchor/cli/**',
-            'Cargo.lock']
-  push:
-    paths: ['cli/**',
-            'client/**',
-            'programs/**',
-            'keeper/**',
-            'lib/**',
-            'liquidator/**',
-            'anchor/cli/**',
-            'Cargo.lock']
-
-jobs:
-  trivy:
-    name: Dependency Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      # Report all vulnerabilities in security tab
-      - name: Report on all vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: 'Cargo.lock'
-          ignore-unfixed: true
-          hide-progress: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          
-      # Fail the job on critical vulnerabiliies with fix available
-      - name: Fail on critical vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: 'Cargo.lock'
-          ignore-unfixed: true
-          hide-progress: true
-          format: 'table'
-          severity: 'CRITICAL'
-          exit-code: '1'
-
-      - name: Upload output
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'

.github/workflows/ci-dependency-scan-yarn.yml

@@ -1,45 +0,0 @@
-name: Dependency Security Scan - Yarn
-
-on:
-  pull_request: 
-    branches: ['main', 'dev']
-    paths: ['ts/**', 'yarn.lock']
-  push:
-    paths: ['ts/**', 'yarn.lock']
-
-jobs:
-  trivy:
-    name: Dependency Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      # Report all vulnerabilities in security tab
-      - name: Report on all vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: 'yarn.lock'
-          ignore-unfixed: true
-          hide-progress: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          
-      # Fail the job on critical vulnerabiliies with fix available
-      - name: Fail on critical vulnerabilities
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'fs'
-          scan-ref: 'yarn.lock'
-          ignore-unfixed: true
-          hide-progress: true
-          format: 'table'
-          severity: 'CRITICAL'
-          exit-code: '1'
-
-      - name: Upload output
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'

.github/workflows/ci-labels.yml

@@ -0,0 +1,17 @@
+name: PR Labels
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [dev]
+
+jobs:
+  label:
+    name: Add PR labels
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/labeler@v4
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"