palimpsest-license/.github/workflows/rescript-deno-ci.yml at 43aeb246137a8df8f2803a99c215326b659aeec2 · hyperpolymath/palimpsest-license · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# SPDX-License-Identifier: AGPL-3.0-or-later
name: ReScript/Deno CI
on: [push, pull_request]

permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
      - uses: denoland/setup-deno@5fae568d37c3b73af83a7b2d7a470f665c7af640 # v2
        with:
          deno-version: v2.x

      - name: Deno lint
        run: deno lint || true

      - name: Deno fmt check
        run: deno fmt --check || true

      - name: Deno test
        run: deno test --allow-all --coverage=coverage || true

      - name: ReScript build
        run: |
          if [ -f "rescript.json" ] || [ -f "bsconfig.json" ]; then
            # Use Deno's npm compatibility instead of npm/npx
            deno run --allow-read --allow-write --allow-env npm:rescript build
          fi

      - name: Type check
        run: |
          if compgen -G "**/*.ts" > /dev/null 2>&1; then
            deno check **/*.ts || true
          fi

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
      - uses: denoland/setup-deno@5fae568d37c3b73af83a7b2d7a470f665c7af640 # v2
      - name: Check permissions
        run: |
          # Audit for dangerous permissions
          grep -rE "allow-run|allow-write|allow-env" . || echo "No dangerous permissions found"