build(deps-dev): bump @eslint/js from 9.39.2 to 10.0.1 #830
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests | |
| on: | |
| push: | |
| branches: [main, 'release/*'] | |
| pull_request: | |
| branches: [main, 'release/*'] | |
| # Use pull_request_target to run on automated PRs | |
| pull_request_target: | |
| branches: [main] | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| jobs: | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| # Security: Only run on version bump PRs from the trusted bot | |
| if: | | |
| github.event_name != 'pull_request_target' || | |
| (startsWith(github.event.pull_request.head.ref, 'version-bump-') && github.event.pull_request.user.login == 'ghostclass-release-automation[bot]') | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # SECURITY: This workflow uses pull_request_target but is SAFE because: | |
| # 1. Job-level 'if' condition restricts pull_request_target to ONLY trusted bot PRs | |
| # 2. For pull_request events: checks out PR head to run tests on proposed changes | |
| # 3. For pull_request_target events: checks out base branch (trusted code only) | |
| ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: '20.19.0' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run unit tests with coverage | |
| run: npm run test:coverage | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 | |
| with: | |
| files: ./coverage/lcov.info | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| e2e-tests: | |
| runs-on: ubuntu-latest | |
| # Security: Only run on version bump PRs from the trusted bot | |
| if: | | |
| github.event_name != 'pull_request_target' || | |
| (startsWith(github.event.pull_request.head.ref, 'version-bump-') && github.event.pull_request.user.login == 'ghostclass-release-automation[bot]') | |
| env: | |
| # Mock environment variables for E2E tests | |
| ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" | |
| CRON_SECRET: "test-cron-secret" | |
| NEXT_PUBLIC_SUPABASE_URL: "https://test.supabase.co" | |
| NEXT_PUBLIC_SUPABASE_ANON_KEY: "test-anon-key" | |
| SUPABASE_SERVICE_ROLE_KEY: "test-service-role-key" | |
| UPSTASH_REDIS_REST_URL: "https://test.upstash.io" | |
| UPSTASH_REDIS_REST_TOKEN: "test-token" | |
| BREVO_API_KEY: "test-brevo-key" | |
| NEXT_PUBLIC_TURNSTILE_SITE_KEY: "1x000000000000000000000AA" | |
| TURNSTILE_SECRET_KEY: "1x0000000000000000000000000000000AA" | |
| NEXT_PUBLIC_APP_URL: "http://localhost:3000" | |
| NEXT_PUBLIC_APP_DOMAIN: "localhost" | |
| NEXT_PUBLIC_APP_EMAIL: "@localhost.com" | |
| SENTRY_AUTH_TOKEN: "test-sentry-token" | |
| NEXT_PUBLIC_SENTRY_DSN: "https://test@sentry.io/123456" | |
| NODE_ENV: "test" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # SECURITY: This workflow uses pull_request_target but is SAFE because: | |
| # 1. Job-level 'if' condition restricts pull_request_target to ONLY trusted bot PRs | |
| # 2. For pull_request events: checks out PR head to run tests on proposed changes | |
| # 3. For pull_request_target events: checks out base branch (trusted code only) | |
| ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
| - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version: '20.19.0' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Get Playwright version | |
| id: playwright-version | |
| run: | | |
| PLAYWRIGHT_VERSION=$(node -p "require('./package-lock.json').packages['node_modules/@playwright/test'].version") | |
| echo "PLAYWRIGHT_VERSION=$PLAYWRIGHT_VERSION" >> $GITHUB_OUTPUT | |
| - name: Cache Playwright browsers | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 | |
| id: playwright-cache | |
| with: | |
| path: ~/.cache/ms-playwright | |
| key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.PLAYWRIGHT_VERSION }} | |
| - name: Install Playwright Chromium only | |
| run: npx playwright install --with-deps chromium | |
| if: steps.playwright-cache.outputs.cache-hit != 'true' | |
| - name: Install Chromium dependencies (cache hit) | |
| run: npx playwright install-deps chromium | |
| if: steps.playwright-cache.outputs.cache-hit == 'true' | |
| - name: Run E2E tests (Chromium only) | |
| run: npm run test:e2e -- --project=chromium | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: playwright-report | |
| path: playwright-report/ | |
| retention-days: 30 |