-
Notifications
You must be signed in to change notification settings - Fork 14
131 lines (110 loc) · 4.08 KB
/
ci.yml
File metadata and controls
131 lines (110 loc) · 4.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: CI
permissions: # Add default permissions, release job will override if needed
contents: read
on:
push:
branches: [main]
tags:
- 'v*'
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: lts/* # Match Dockerfile
cache: 'npm'
- name: Setup Just
uses: extractions/setup-just@v3
- name: Install dependencies
run: npm ci
- name: Run all checks (format, lint, build, test)
run: just all # Uses justfile for consistency
- name: Upload coverage reports artifact
uses: actions/upload-artifact@v6
with:
name: coverage-report-${{ github.run_id }} # Unique name per run
path: coverage/
if: always() # Upload even if previous steps fail
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
# fail_ci_if_error: true # Optional: fail CI if upload fails
security:
runs-on: ubuntu-latest
permissions:
contents: read # Needed for checkout and CodeQL
security-events: write # Needed for CodeQL alert uploads
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: lts/* # Match Dockerfile and test job
cache: 'npm'
- name: Setup Just
uses: extractions/setup-just@v3
- name: Install dependencies
run: npm ci
- name: Run Security Checks (Audit, Licenses)
run: just security # Uses justfile, includes npm audit and license-checker
continue-on-error: true # Allow workflow to continue even if npm audit finds vulnerabilities
# Static code analysis with CodeQL (Keep separate as it's not in justfile)
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
# Auto-detect languages: javascript, typescript
# queries: +security-extended # Optional: run more queries
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
release:
name: Release
runs-on: ubuntu-latest
needs: [test, security] # Run after test and security checks pass
# Run only on pushes to main, not on tags (semantic-release creates tags)
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
permissions:
contents: write # Allow tagging, committing package.json/changelog/version.ts
issues: write # Allow commenting on issues/PRs
pull-requests: write # Allow commenting on issues/PRs
id-token: write # Needed for provenance publishing to npm (alternative to NPM_TOKEN)
steps:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: lts/* # Match Dockerfile and other jobs
cache: 'npm'
- name: Install all dependencies
run: npm ci --include=dev
# Docker setup steps (Still needed for the environment where the action runs)
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Semantic Release
uses: cycjimmy/semantic-release-action@v6
with:
# Add the docker plugin to extra_plugins
extra_plugins: |
@semantic-release/changelog
@semantic-release/exec
@semantic-release/git
@codedependant/semantic-release-docker
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} # Use dedicated release token if needed
# Docker login is handled by the login-action step above