v1.0.4 #185
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build Pipeline | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - 'LICENSE' | |
| permissions: | |
| contents: read | |
| issues: write | |
| actions: read | |
| pull-requests: write | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ============================================ | |
| # PARALLEL QUALITY CHECKS | |
| # ============================================ | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: Run ESLint | |
| run: npm run lint | |
| - name: YAML Lint | |
| uses: ibiqlik/action-yamllint@v3.1.1 | |
| with: | |
| file_or_dir: .github/workflows/ | |
| config_file: .yamllint.yml | |
| continue-on-error: true | |
| - name: Lint Summary | |
| run: | | |
| echo "### Lint Results" >> $GITHUB_STEP_SUMMARY | |
| echo "- ESLint: Passed" >> $GITHUB_STEP_SUMMARY | |
| type-check: | |
| name: Type Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: TypeScript Type Check | |
| run: npm run type-check | |
| - name: Type Check Summary | |
| run: | | |
| echo "### Type Check Results" >> $GITHUB_STEP_SUMMARY | |
| echo "TypeScript compilation: Passed" >> $GITHUB_STEP_SUMMARY | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: Set Timezone | |
| uses: szenius/set-timezone@v2.0 | |
| with: | |
| timezoneLinux: 'America/New_York' | |
| - name: Run Tests with Coverage | |
| run: npm test -- --coverage --coverageReporters=text --coverageReporters=lcov --coverageReporters=json-summary | |
| - name: Upload Coverage Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: coverage/ | |
| retention-days: 7 | |
| - name: Coverage Report to PR | |
| if: github.event_name == 'pull_request' | |
| uses: davelosert/vitest-coverage-report-action@v2 | |
| with: | |
| json-summary-path: coverage/coverage-summary.json | |
| json-final-path: coverage/coverage-final.json | |
| vite-config-path: '' | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| continue-on-error: true | |
| - name: Test Summary | |
| run: | | |
| echo "### Test Results" >> $GITHUB_STEP_SUMMARY | |
| echo "Unit tests: Passed" >> $GITHUB_STEP_SUMMARY | |
| if [ -f coverage/coverage-summary.json ]; then | |
| COVERAGE=$(jq -r '.total.lines.pct' coverage/coverage-summary.json 2>/dev/null || echo "N/A") | |
| echo "Line coverage: ${COVERAGE}%" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| e2e-tests: | |
| name: E2E Tests | |
| needs: [lint, type-check, test] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: Install Playwright Browsers | |
| run: npx playwright install --with-deps chromium | |
| - name: Run E2E Tests | |
| run: npm run test:e2e | |
| - name: Upload Playwright Report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: playwright-report | |
| path: playwright-report/ | |
| retention-days: 7 | |
| - name: E2E Test Summary | |
| if: always() | |
| run: | | |
| echo "### E2E Test Results" >> $GITHUB_STEP_SUMMARY | |
| if [ -d playwright-report ]; then | |
| echo "E2E tests completed. See artifact for details." >> $GITHUB_STEP_SUMMARY | |
| fi | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: NPM Audit (Critical Only) | |
| run: npm audit --audit-level=critical | |
| continue-on-error: false | |
| - name: NPM Audit Report (All Levels) | |
| run: | | |
| echo "### Security Audit" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| npm audit --json | jq -r ' | |
| "Vulnerabilities: " + | |
| (.metadata.vulnerabilities | to_entries | map("\(.key): \(.value)") | join(", ")) | |
| ' >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| continue-on-error: true | |
| # ============================================ | |
| # BUILD (after quality checks pass) | |
| # ============================================ | |
| build: | |
| name: Build | |
| needs: [lint, type-check, test, security-audit, e2e-tests] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup Node Project | |
| uses: ./.github/actions/setup-node-project | |
| - name: Build Application | |
| run: npm run build | |
| - name: Upload Build Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-${{ github.sha }} | |
| path: dist/ | |
| retention-days: 7 | |
| - name: Build Summary | |
| run: | | |
| echo "### Build Results" >> $GITHUB_STEP_SUMMARY | |
| echo "Build: Passed" >> $GITHUB_STEP_SUMMARY | |
| echo "Artifact: dist-${{ github.sha }}" >> $GITHUB_STEP_SUMMARY | |
| # ============================================ | |
| # SECURITY SCANS (after build) | |
| # ============================================ | |
| secrets-scan: | |
| name: Secrets Scan | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog Secrets Scan | |
| uses: trufflesecurity/trufflehog@v3.88.0 | |
| - name: Secrets Scan Summary | |
| if: success() | |
| run: | | |
| echo "### Secrets Scan" >> $GITHUB_STEP_SUMMARY | |
| echo "TruffleHog: No secrets detected" >> $GITHUB_STEP_SUMMARY | |
| codeql: | |
| name: CodeQL | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: '/language:javascript-typescript' | |
| # ============================================ | |
| # DEPENDENCY REVIEW (PRs only) | |
| # ============================================ | |
| dependency-review: | |
| name: Dependency Review | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: critical | |
| comment-summary-in-pr: always |