feat(docker): add focused E2E scripts and resource limits override #164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| gitleaks: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| env: | |
| NEXT_PUBLIC_DEPLOY_URL: ${{ vars.NEXT_PUBLIC_DEPLOY_URL }} | |
| NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }} | |
| NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }} | |
| SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }} | |
| TEST_USER_PRIMARY_PASSWORD: ${{ secrets.TEST_USER_PRIMARY_PASSWORD }} | |
| strategy: | |
| matrix: | |
| node-version: ['22'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.16.1 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'pnpm' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Security audit | |
| # Only fail on high/critical - low severity elliptic has no patch available | |
| run: pnpm audit --audit-level=high | |
| - name: Check for SQL injection patterns | |
| run: | | |
| echo "Checking for unsafe SQL interpolation patterns in test files..." | |
| # Pattern: '${variable}' without escapeSQL nearby | |
| # This finds lines with template literal SQL that don't use escapeSQL | |
| # Exclusions: | |
| # - escapeSQL/safe* variables: properly escaped values | |
| # - database-setup.test.ts: uses hardcoded constant table names only | |
| # - node_modules: third-party code | |
| UNSAFE_PATTERNS=$(grep -rn "'\\\${" tests/ | grep -v "escapeSQL\|safeUserId\|safeEmail\|safePassword\|safeAdminId" | grep -v "database-setup.test.ts" | grep -v "node_modules" || true) | |
| if [ -n "$UNSAFE_PATTERNS" ]; then | |
| echo "ERROR: Found potentially unsafe SQL interpolation patterns:" | |
| echo "$UNSAFE_PATTERNS" | |
| echo "" | |
| echo "All SQL string interpolation must use escapeSQL() or safe* variables." | |
| echo "See docs/specs/047-test-security for details." | |
| exit 1 | |
| fi | |
| echo "SQL injection check passed - all interpolations use escapeSQL" | |
| - name: Generate project configuration | |
| run: node scripts/detect-project.js | |
| - name: Run linter | |
| run: pnpm lint | |
| - name: Type check | |
| run: pnpm type-check | |
| - name: Run tests (batched to avoid OOM) | |
| run: ./scripts/test-batched-full.sh | |
| - name: Build application | |
| run: pnpm build | |
| - name: Build Storybook | |
| run: pnpm build-storybook |