stackblitz-labs
diff --git a/‎.depcheckrc.json‎
Lines changed: 28 additions & 0 deletions b/‎.depcheckrc.json‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.env.example‎
Lines changed: 9 additions & 0 deletions b/‎.env.example‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 30 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/actions/setup-and-build/action.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/actions/setup-and-build/action.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 36 additions & 3 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 36 additions & 3 deletions
diff --git a/‎.github/workflows/docker.yaml‎
Lines changed: 19 additions & 3 deletions b/‎.github/workflows/docker.yaml‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎.github/workflows/electron.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/electron.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pr-release-validation.yaml‎
Lines changed: 96 additions & 2 deletions b/‎.github/workflows/pr-release-validation.yaml‎
Lines changed: 96 additions & 2 deletions
@@ -0,0 +1,28 @@
+{
+  "ignoreMatches": [
+    "@types/*",
+    "eslint-*",
+    "prettier*",
+    "husky",
+    "rimraf",
+    "vitest",
+    "vite",
+    "typescript",
+    "wrangler",
+    "electron*"
+  ],
+  "ignoreDirs": [
+    "dist",
+    "build",
+    "node_modules",
+    ".git"
+  ],
+  "skipMissing": false,
+  "ignorePatterns": [
+    "*.d.ts",
+    "*.test.ts",
+    "*.test.tsx",
+    "*.spec.ts",
+    "*.spec.tsx"
+  ]
+}
@@ -113,6 +113,15 @@ VITE_GITHUB_ACCESS_TOKEN=
 # Classic tokens are recommended for broader access
 VITE_GITHUB_TOKEN_TYPE=classic
 
+# Bug Report Configuration (Server-side only)
+# GitHub token for creating bug reports - requires 'public_repo' scope
+# This token should be configured on the server/deployment environment
+# GITHUB_BUG_REPORT_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+# Repository where bug reports will be created
+# Format: "owner/repository" 
+# BUG_REPORT_REPO=stackblitz-labs/bolt.diy
+
 # Example Context Values for qwen2.5-coder:32b
 # 
 # DEFAULT_NUM_CTX=32768 # Consumes 36GB of VRAM
 
@@ -0,0 +1,30 @@
+# Code Owners for bolt.diy
+# These users/teams will automatically be requested for review when files are modified
+
+# Global ownership - repository maintainers
+* @stackblitz-labs/bolt-maintainers
+
+# GitHub workflows and CI/CD configuration - require maintainer review
+/.github/ @stackblitz-labs/bolt-maintainers
+/package.json @stackblitz-labs/bolt-maintainers
+/pnpm-lock.yaml @stackblitz-labs/bolt-maintainers
+
+# Security-sensitive configurations - require maintainer review
+/.env* @stackblitz-labs/bolt-maintainers
+/wrangler.toml @stackblitz-labs/bolt-maintainers  
+/Dockerfile @stackblitz-labs/bolt-maintainers
+/docker-compose.yaml @stackblitz-labs/bolt-maintainers
+
+# Core application architecture - require maintainer review
+/app/lib/.server/ @stackblitz-labs/bolt-maintainers
+/app/routes/api.* @stackblitz-labs/bolt-maintainers
+
+# Build and deployment configuration - require maintainer review
+/vite*.config.ts @stackblitz-labs/bolt-maintainers
+/tsconfig.json @stackblitz-labs/bolt-maintainers
+/uno.config.ts @stackblitz-labs/bolt-maintainers
+/eslint.config.mjs @stackblitz-labs/bolt-maintainers
+
+# Documentation (optional review)
+/*.md
+/docs/
@@ -4,11 +4,11 @@ inputs:
   pnpm-version:
     required: false
     type: string
-    default: '9.4.0'
+    default: '9.14.4'
   node-version:
     required: false
     type: string
-    default: '20.15.1'
+    default: '20.18.0'
 
 runs:
   using: composite
 
@@ -3,25 +3,58 @@ name: CI/CD
 on:
   push:
     branches:
-      - master
+      - main
   pull_request:
 
+# Cancel in-progress runs on the same branch/PR
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Setup and Build
         uses: ./.github/actions/setup-and-build
 
+      - name: Cache TypeScript compilation
+        uses: actions/cache@v4
+        with:
+          path: |
+            .tsbuildinfo
+            node_modules/.cache
+          key: ${{ runner.os }}-typescript-${{ hashFiles('**/tsconfig.json', 'app/**/*.ts', 'app/**/*.tsx') }}
+          restore-keys: |
+            ${{ runner.os }}-typescript-
+
       - name: Run type check
         run: pnpm run typecheck
 
-      # - name: Run ESLint
-      #   run: pnpm run lint
+      - name: Cache ESLint
+        uses: actions/cache@v4
+        with:
+          path: node_modules/.cache/eslint
+          key: ${{ runner.os }}-eslint-${{ hashFiles('.eslintrc*', 'app/**/*.ts', 'app/**/*.tsx') }}
+          restore-keys: |
+            ${{ runner.os }}-eslint-
+
+      - name: Run ESLint
+        run: pnpm run lint
 
       - name: Run tests
         run: pnpm run test
+
+      - name: Upload test coverage
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: coverage-report
+          path: coverage/
+          retention-days: 7
@@ -16,7 +16,6 @@ permissions:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   docker-build-publish:
@@ -26,6 +25,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set lowercase image name
+        id: image
+        run: echo "name=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+      
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -40,7 +43,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v4
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}
           tags: |
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
             type=raw,value=stable,enable=${{ github.ref == 'refs/heads/stable' }}
@@ -58,5 +61,18 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          
       - name: Check manifest
-        run: docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+        run: docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
@@ -22,7 +22,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest] # Use unsigned macOS builds for now
-        node-version: [18.18.0]
+        node-version: [20.18.0]
       fail-fast: false
 
     steps:
@@ -46,7 +46,7 @@ jobs:
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ env.STORE_PATH }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
 
@@ -6,12 +6,79 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
 jobs:
-  validate:
+  quality-gates:
+    name: Quality Gates
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Wait for CI checks
+        uses: lewagon/wait-on-check-action@v1.3.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          check-name: 'Test'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 10
+
+      - name: Check required status checks
+        uses: actions/github-script@v7
+        continue-on-error: true
+        with:
+          script: |
+            const { data: checks } = await github.rest.checks.listForRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: context.payload.pull_request.head.sha
+            });
+
+            const requiredChecks = ['Test', 'CodeQL Analysis'];
+            const optionalChecks = ['Quality Analysis', 'Deploy Preview'];
+            const failedChecks = [];
+            const passedChecks = [];
+
+            // Check required workflows
+            for (const checkName of requiredChecks) {
+              const check = checks.check_runs.find(c => c.name === checkName);
+              if (check && check.conclusion === 'success') {
+                passedChecks.push(checkName);
+              } else {
+                failedChecks.push(checkName);
+              }
+            }
+
+            // Report optional checks
+            for (const checkName of optionalChecks) {
+              const check = checks.check_runs.find(c => c.name === checkName);
+              if (check && check.conclusion === 'success') {
+                passedChecks.push(`${checkName} (optional)`);
+              }
+            }
+
+            console.log(`✅ Passed checks: ${passedChecks.join(', ')}`);
+            
+            if (failedChecks.length > 0) {
+              console.log(`❌ Failed required checks: ${failedChecks.join(', ')}`);
+              core.setFailed(`Required checks failed: ${failedChecks.join(', ')}`);
+            } else {
+              console.log(`✅ All required checks passed!`);
+            }
+
+  validate-release:
+    name: Release Validation
     runs-on: ubuntu-latest
+    needs: quality-gates
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Validate PR Labels
         run: |
@@ -29,3 +96,30 @@ jobs:
           else
             echo "This PR doesn't have the stable-release label. No release will be created." 
           fi
+
+      - name: Check breaking changes
+        if: contains(github.event.pull_request.labels.*.name, 'major')
+        run: |
+          echo "⚠️ This PR contains breaking changes and will trigger a major release."
+          
+      - name: Validate changelog entry
+        if: contains(github.event.pull_request.labels.*.name, 'stable-release')
+        run: |
+          if ! grep -q "${{ github.event.pull_request.number }}" CHANGES.md; then
+            echo "❌ No changelog entry found for PR #${{ github.event.pull_request.number }}"
+            echo "Please add an entry to CHANGES.md"
+            exit 1
+          else
+            echo "✓ Changelog entry found"
+          fi
+
+  security-review:
+    name: Security Review Required
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'security')
+    
+    steps:
+      - name: Check security label
+        run: |
+          echo "🔒 This PR has security implications and requires additional review"
+          echo "Ensure a security team member has approved this PR before merging"