homeMaker Vision Alignment: strip dev UI, home AI agent, product identity #133
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SECURITY: This workflow is hardened against fork PR attacks. See docs/security/ci-hardening.md | |
| name: Checks | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - staging | |
| - dev | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: 'Branch or SHA to run checks against' | |
| required: false | |
| default: '' | |
| schedule: | |
| # Run weekly on Mondays at 9 AM UTC (security audit) | |
| - cron: '0 9 * * 1' | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| checks: | |
| runs-on: namespace-profile-protolabs-linux | |
| if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Setup project | |
| uses: ./.github/actions/setup-project | |
| with: | |
| check-lockfile: 'true' | |
| skip-native-rebuild: 'true' | |
| - name: Check formatting | |
| run: npm run format:check | |
| - name: Lint UI | |
| run: npm run lint:ui | |
| - name: Lint Server (import safety) | |
| run: npm run lint:server | |
| - name: Build shared packages | |
| run: npm run build:packages | |
| - name: Typecheck | |
| run: npm run typecheck | |
| - name: Run npm audit | |
| continue-on-error: true | |
| run: npm audit --audit-level=high --omit=dev | |
| - name: Validate Dockerfile dependencies | |
| run: | | |
| echo "Checking Dockerfile npm script references..." | |
| SCRIPTS=$(grep -oP 'npm run \K[\w:-]+' Dockerfile | sort -u) | |
| MISSING="" | |
| for script in $SCRIPTS; do | |
| if ! node -e "const p=require('./package.json'); if(!p.scripts['$script']) process.exit(1)" 2>/dev/null; then | |
| MISSING="$MISSING $script" | |
| fi | |
| done | |
| if [ -n "$MISSING" ]; then | |
| echo "ERROR: Dockerfile references missing npm scripts:$MISSING" | |
| exit 1 | |
| fi | |
| echo "All Dockerfile script references valid: $SCRIPTS" | |
| echo "Checking Dockerfile COPY sources exist..." | |
| # Validate that all libs referenced in Dockerfile package.json COPYs exist | |
| LIBS_COPIED=$(grep -oP 'COPY libs/\K[^/]+' Dockerfile | sort -u) | |
| LIBS_ACTUAL=$(ls -d libs/*/package.json 2>/dev/null | xargs -I{} dirname {} | xargs -I{} basename {} | sort -u) | |
| MISSING_LIBS="" | |
| for lib in $LIBS_ACTUAL; do | |
| if ! echo "$LIBS_COPIED" | grep -q "^${lib}$"; then | |
| MISSING_LIBS="$MISSING_LIBS $lib" | |
| fi | |
| done | |
| if [ -n "$MISSING_LIBS" ]; then | |
| echo "WARNING: libs not in Dockerfile base COPY:$MISSING_LIBS" | |
| echo "Add COPY libs/<name>/package*.json entries to Dockerfile base stage" | |
| exit 1 | |
| fi | |
| echo "All libs have Dockerfile COPY entries" |