fix: update npm dependencies to resolve 4 high/medium vulnerabilities #227
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| PYTHON_VERSION: "3.12" | |
| UV_CACHE_DIR: /tmp/.uv-cache | |
| jobs: | |
| lint: | |
| name: Lint & Type Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install ${{ env.PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: uv sync --all-packages | |
| - name: Run ruff check | |
| run: uv run ruff check . | |
| - name: Run ruff format check | |
| run: uv run ruff format --check . | |
| - name: Run ty check | |
| run: uvx ty check | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: ghcr.io/mayflower/pg4ai:latest | |
| env: | |
| POSTGRES_USER: contextmine | |
| POSTGRES_PASSWORD: contextmine | |
| POSTGRES_DB: contextmine | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install ${{ env.PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: uv sync --all-packages | |
| - name: Run migrations | |
| working-directory: packages/core | |
| env: | |
| DATABASE_URL: postgresql+asyncpg://contextmine:contextmine@localhost:5432/contextmine | |
| run: uv run alembic upgrade head | |
| - name: Run tests | |
| env: | |
| DATABASE_URL: postgresql+asyncpg://contextmine:contextmine@localhost:5432/contextmine | |
| DEBUG: "true" | |
| run: uv run pytest -v | |
| build: | |
| name: Build & Push Containers | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| include: | |
| - name: api | |
| dockerfile: apps/api/Dockerfile | |
| context: . | |
| - name: worker | |
| dockerfile: apps/worker/Dockerfile | |
| context: . | |
| - name: web | |
| dockerfile: apps/web/Dockerfile | |
| context: ./apps/web | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }}-${{ matrix.name }} | |
| tags: | | |
| type=sha | |
| type=raw,value=latest | |
| - name: Build and push ${{ matrix.name }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.context }} | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| helm: | |
| name: Publish Helm Chart | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v4 | |
| - name: Log in to GHCR | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Package Helm chart | |
| run: helm package deploy/helm/contextmine | |
| - name: Push Helm chart to GHCR | |
| run: helm push contextmine-*.tgz oci://ghcr.io/${{ github.repository_owner }} |