toptal · KartalJelena · Aug 20, 2025 · Aug 20, 2025 · Aug 21, 2025 · Aug 21, 2025
@@ -0,0 +1,104 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  lint_typescript:
+    name: Lint and Typescript checks
+    uses: ./.github/workflows/lint-typescript.yml
+    secrets: inherit
+
+  unit_tests:
+    name: Unit tests
+    uses: ./.github/workflows/unit.yml
+    secrets: inherit
+
+  e2e_tests:
+    name: End-to-end tests
+    uses: ./.github/workflows/e2e.yml
+    secrets: inherit
+
+  secrets_scan:
+    name: Secrets scan
+    uses: ./.github/workflows/secrets-scan.yml
+    secrets: inherit
+
+  notify_slack_success:
+    name: Notify success status to Slack
+    runs-on: ubuntu-latest
+    if: success() && github.ref == 'refs/heads/master' && github.event_name == 'push'
+    needs: [lint_typescript, unit_tests, e2e_tests, secrets_scan]
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/actions/gsm-secrets@main
+        with:
+          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
+          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
+          secrets_name: |-
+            SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK
+            SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK
+
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/actions/expose-json-outputs@main
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - uses: toptal/slack-workflow-status@master
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK }}
+          name: gha-bot
+          icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png
+          include_jobs: on-failure
+          display_only_failed: true
+          include_commit_message: true
+
+  notify_slack_failure:
+    name: Notify failure status to Slack
+    runs-on: ubuntu-latest
+    if: (failure() || cancelled()) && github.ref == 'refs/heads/master' && github.event_name == 'push'
+    needs: [lint_typescript, unit_tests, e2e_tests, secrets_scan]
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/actions/gsm-secrets@main
+        with:
+          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
+          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
+          secrets_name: |-
+            SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK
+            SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK
+
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/actions/expose-json-outputs@main
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - uses: toptal/slack-workflow-status@master
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK }}
+          name: gha-bot
+          icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png
+          include_jobs: on-failure
+          display_only_failed: true
+          include_commit_message: true
+
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up steps
         uses: ./.github/actions/setup-steps
@@ -46,7 +46,7 @@ jobs:
           yarn nyc report --temp-dir test-coverage/temp --reporter html --report-dir test-coverage/coverage-report-all
 
       - name: Save combined coverage report
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-report-all
           path: test-coverage/coverage-report-all

@@ -3,7 +3,7 @@ name: End-to-end tests
 on:
   push:
     branches: [main]
-  pull_request:
+  workflow_call:
 
 jobs:
   e2e_tests:
@@ -19,7 +19,7 @@ jobs:
         with:
           access_token: ${{ github.token }}
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up steps
         uses: ./.github/actions/setup-steps
@@ -37,22 +37,22 @@ jobs:
 
       - name: Upload Playwright HTML report
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: playwright-e2e-tests-report
           path: reports/index.html
           retention-days: 1
 
       - name: Upload Playwright failure screenshots
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: e2e-tests-failure-screenshots
           path: screenshots
           retention-days: 1
 
       - name: Upload test coverage HTML report
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: e2e-coverage-report
           path: test-coverage/e2e

@@ -3,7 +3,7 @@ name: Lint and Typescript
 on:
   push:
     branches: [main]
-  pull_request:
+  workflow_call:
 
 jobs:
   lint_typescript:
@@ -16,7 +16,7 @@ jobs:
         with:
           access_token: ${{ github.token }}
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up steps
         uses: ./.github/actions/setup-steps

@@ -0,0 +1,39 @@
+name: Secrets Scan
+
+on:
+  workflow_call:
+
+jobs:
+  specs:
+    name: Secrets scan
+    runs-on: squad-growth-ubuntu2204-x64-standard
+    permissions: write-all
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get the secrets from GSM
+        id: secrets_manager
+        uses: toptal/actions/gsm-secrets@v1.0.2
+        with:
+          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
+          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
+          secrets_name: |-
+            SLACK_BOT_TOKEN:toptal-ci/SLACK_BOT_TOKEN
+
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/actions/expose-json-outputs@v1.0.2
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Secrets Scan
+        uses: toptal/actions/secret-scanning-action@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          full-scan: true
+          slack-channel: -marketing-tools-2-releases
+          slack-token: ${{ steps.parse_secrets.outputs.SLACK_BOT_TOKEN }}
+
@@ -3,7 +3,7 @@ name: Unit tests
 on:
   push:
     branches: [main]
-  pull_request:
+  workflow_call:
 
 jobs:
   unit_tests:
@@ -26,14 +26,14 @@ jobs:
 
       - name: Upload Jest HTML report
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: jest-unit-tests-report
           path: reports/jest-report-unit.html
           retention-days: 1
 
       - name: Upload unit tests coverage report
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: jest-unit-coverage-report
           path: test-coverage/unit