Getting Started with Danger JS

So, you’re ready to get set up? You have two options, go through this tutorial or run yarn add danger --dev; yarn danger init inside your project file then come back for the CI integration once you’re done. Or just get started below.

There are 5 steps involved in getting Danger running:

• Include the Danger module.
• Creating a Dangerfile and add a few simple rules.
• Creating an account for Danger to use.
• Setting up an access token for Danger with that account.
• Setting up Danger to run on your CI.

#Including Danger

We recommend you install Danger via Yarn. Though you can use the npm CLI.

#Installation

Adding the Danger module by yarn add danger --dev. This will add Danger as a devDependency and make the command danger available by running yarn danger.

#Creating a Dangerfile

Create either a new file, either dangerfile.js or dangerfile.ts will be picked up automatically. Otherwise you can use an argument to pass in a custom file.

To get yourself started, try this as your Dangerfile:

import {message, danger} from "danger"

const modifiedMD = danger.git.modified_files.join("- ")
message("Changed Files in this PR: \n - " + modifiedMD)

It will output the list of modified files for your current PR once you have your authentication set up below.

For a deeper understanding of using a Dangerfile, see the guide The Dangerfile

#Creating a bot account for Danger to use

This is optional. Pragmatically, you want to do this though.

#GitHub

In order to get the most out of Danger, we recommend giving it the ability to post comments in your Pull Requests. This is a regular GitHub account, but depending on whether you are working on a private or public project, you will want to give different levels of access to this bot. You are allowed to have one bot per GitHub account.

To get started, open https://github.com in a private browser session.

#OSS Projects

Do not add the bot to your repo or to your organization.

#Closed Source Projects

Add the bot to your repo or to your organization. The bot requires permission level “Write” to be able to set a PR’s status. Note that you should not re-use this bot for OSS projects.

#Setting up an Access Token

Here’s the link, you should open this in the private session where you just created the new GitHub account. Again, the rights that you give to the token depend on the openness of your projects. You’ll want to save this token for later, when you add a DANGER_GITHUB_API_TOKEN to your CI.

#Tokens for OSS Projects

We recommend giving the token the smallest scope possible. This means just public_repo, this scope is still ideally too much but this account shouldn’t have any access to other repos or organizations - so malicious use of the token is scoped to making new repos on it, or writing comments on other OSS projects. Because the token can be quite easily be extracted from the CI environment, this minimizes the chance for bad actors to cause chaos with it.

#Tokens for Closed Source Projects

We recommend giving access to the whole repo scope, and its children.

#Enterprise GitHub

You can work with GitHub Enterprise by setting 2 environment variables:

• DANGER_GITHUB_HOST to the host that GitHub is running on.
• DANGER_GITHUB_API_BASE_URL or GITHUB_URL to the host that the GitHub Enterprise API is reachable on.

For example:

DANGER_GITHUB_HOST=git.corp.evilcorp.com
DANGER_GITHUB_API_BASE_URL=https://git.corp.evilcorp.com/api/v3

#GitLab

To get the most out of Danger, we recommend giving her the ability to post comments in your Merge Requests. This is a regular GitLab account, but depending on whether you are working on a private or public project, you will want to give different levels of access to this bot.

To get started, open https://gitlab.com (or your GitLab instance) in a private browser session.

#OSS Projects

Do not add the bot to your project or to your group.

#Closed Source Projects

Add the bot to your private project or to your private group with the “Reporter” permission level. Note that you should not re-use this bot for OSS projects. As the access token you use could be extracted and would give access to your closed source projects.

#Setting up an Access Token

Here’s the link, you should open this in the private session where you have just created the new GitLab account. You’ll want to copy the token for later, when you add a DANGER_GITLAB_API_TOKEN to your CI.

If you are self hosting GitLab, you’ll need to generate an access token for the bot user. You can find the section under “Access Tokens” in the bot user’s profile.

#Self-hosted GitLab

To let Danger know the API details around your custom setup, you need to set two env variables:

DANGER_GITLAB_HOST to the host that GitLab is running on.

DANGER_GITLAB_API_BASE_URL to the host that the GitLab API is reachable on.

For example:

DANGER_GITLAB_HOST=git.corp.evilcorp.com
DANGER_GITLAB_API_BASE_URL=https://git.corp.evilcorp.com/api/v4

#BitBucket Server

To use Danger JS with BitBucket Server, you’ll need to create a new account for Danger to use, then set the following environment variables on your CI:

• DANGER_BITBUCKETSERVER_HOST = The root URL for your server, e.g. https://bitbucket.mycompany.com.
• DANGER_BITBUCKETSERVER_USERNAME = The username for the account used to comment.
• DANGER_BITBUCKETSERVER_PASSWORD = The password for the account used to comment.

This account is then used to provide feedback on your PRs.

#Continuous Integration

Continuous Integration is the process of regularly running tests and generating metrics for a project. It is where you can ensure that the code you are submitting for review is passing on all of the tests. You commonly see this as green or red dots next to commits.

Danger is built to run as a part of this process, so you will need to have this set up as a pre-requisite.

#Setting up Danger to run on your CI

- cd $APPCENTER_SOURCE_DIRECTORY
- npm install -g danger
- swift build
- swift run danger-swift ci

image: node:10.15.0
pipelines:
pull-requests:
"**":
- step:
caches:
- node
script:
- export LANG="C.UTF-8"
- yarn install
- yarn danger ci
definitions:
caches:
node: node_modules

image: node:10.15.0
pipelines:
pull-requests:
"**":
- step:
caches:
- node
script:
- export LANG="C.UTF-8"
- yarn install
- yarn danger ci
definitions:
caches:
node: node_modules

workflows:
<your_workflow_name>:
steps:
- yarn:
inputs:
- args: ci
- command: danger
is_always_run: true

echo "--- Running Danger"
yarn danger ci

- run:
name: Danger
command: yarn danger ci

danger_script:
- yarn danger ci

Danger:
title: Run Danger
image: node:latest
working_directory: ${{main_clone}}
entry_point: '/bin/bash'
cmd:
- '-ce'
- |
npm install -g yarn
yarn add danger --dev
yarn danger ci --failOnErrors
when:
steps:
- name: main_clone
on:
- success

- type: parallel:
...
- name: danger
service: web
command: yarn danger ci

project_name:
...
environment:
- DANGER_GITHUB_API_TOKEN=[my_token]

build:
image: golang
commands:
- ...
- yarn danger ci

...

CMD ["yarn", "danger", "ci"]

sut:
...
environment:
- DANGER_GITHUB_API_TOKEN=[my_token]

build:
image: golang
commands:
- ...
- yarn danger ci

name: Node CI
on: [pull_request]

jobs:
test:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@master
- name: Use Node.js 10.x
uses: actions/setup-node@v1
with:
node-version: 10.x
- name: install yarn
run: npm install -g yarn
- name: yarn install, build, and test
run: |
yarn install  --frozen-lockfile
yarn build
yarn test
- name: Danger
run: yarn danger ci
env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

name: "Danger JS"
on: [pull_request]

jobs:
build:
name: Danger JS
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Danger
uses: danger/danger-js@9.1.6
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: danger/...
with:
args: "--dangerfile artsy/peril-settings/org/allPRs.ts"

- name: Danger JS
uses: danger/danger-js@9.1.6
env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Danger JS
uses: danger/danger-js@9.1.6
env: DANGER_GITHUB_API_TOKEN: ${{ secrets.DANGER_GITHUB_API_TOKEN }}

- name: Set danger env
run: echo "DANGER_GITHUB_API_TOKEN=$(echo FIRST_HALF + SECOND_HALF)" >> $GITHUB_ENV

- name: Run Danger
run: yarn danger ci
env:
DANGER_GITHUB_API_TOKEN: ${{ env.DANGER_GITHUB_API_TOKEN }}

on:
pull_request_target:
types: [assigned, opened, synchronize, reopened]

jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
- run: yarn install

- run: yarn danger ci
env:
DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
danger:
requires: [~pr, ~commit]
steps:
- setup: yarn install
- danger: yarn danger ci
secrets:
- DANGER_GITHUB_API_TOKEN

before_script:
- yarn danger ci

#Verify Installation

You should be able to verify that you have successfully integrated Danger by either re-building your CI or pushing your new commits.

#What now?

There are a few of places you can go from here. We’d recommending opening tabs on all these articles:

• The Dangerfile.
• Cultural Changes of Danger.
• The Dangerfile API reference.

Then depending on the type of project you are working on, checking out either Danger + Node App, or Danger + Node Library. These should give you good overview of what is possible from here, then it’s really up to you to find how you can codify some aspects of your team’s culture.

Good luck!