feat(ci): add Phase 5 - Additional improvements

grdsdev · claude · grdsdev · commit 40e80863232a · 2025-11-12T13:36:44.000-03:00
This commit implements Phase 5 of the workflow improvements plan: 1. **Extract Release Command to Script** - Created `.github/scripts/trigger-package-releases.sh` script - Extracted complex melos command from release-tag.yml - Added error handling and logging to the script - Made script executable and self-documenting - Improved maintainability by separating logic from workflow 2. **Enhanced Error Handling for Release Workflows** - Added step IDs to track success/failure of each step - Added workflow summaries to release-tag.yml showing: - Overall status (success/failure) - Commit message and ref information - Added workflow summaries to release-publish.yml showing: - Pub.dev publishing status - GitHub release creation status - Overall package release status - Summaries help quickly identify which step failed 3. **Dependency Vulnerability Scanning** - Created new `dependency-scan.yml` workflow - Runs weekly on Mondays at 9:00 UTC - Triggers on pubspec.yaml/pubspec.lock changes - Can be manually triggered via workflow_dispatch - Generates two reports: - Outdated dependencies report (dart pub outdated) - Security audit report (checks for vulnerabilities) - Uploads reports as artifacts with 30-day retention - Generates formatted summary in GitHub Actions UI - Helps proactively identify security issues These improvements enhance reliability, maintainability, and security of the CI/CD pipeline. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/scripts/trigger-package-releases.sh b/.github/scripts/trigger-package-releases.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+set -e
+
+# Script to trigger release-publish workflows for all unpublished packages
+# This script is used by the release-tag workflow after tags are created
+
+echo "Starting package release workflow triggers..."
+
+# Check if GH_TOKEN is set
+if [ -z "$GH_TOKEN" ]; then
+  echo "Error: GH_TOKEN environment variable is not set"
+  exit 1
+fi
+
+# Counter for tracking
+TOTAL_PACKAGES=0
+SUCCESS_COUNT=0
+FAILED_PACKAGES=()
+
+# Run melos exec to trigger workflows for each package
+# --no-published: Only unpublished packages
+# --no-private: Exclude private packages
+# --order-dependents: Process in dependency order
+# -c 1: Run one at a time (concurrency 1)
+echo "Triggering workflows for unpublished packages..."
+melos exec \
+  -c 1 \
+  --no-published \
+  --no-private \
+  --order-dependents \
+  -- bash -c '
+    PACKAGE_NAME="${MELOS_PACKAGE_NAME}"
+    PACKAGE_VERSION="${MELOS_PACKAGE_VERSION}"
+    REF="${PACKAGE_NAME}-v${PACKAGE_VERSION}"
+
+    echo "----------------------------------------"
+    echo "Processing: $PACKAGE_NAME v$PACKAGE_VERSION"
+    echo "Ref: $REF"
+
+    if gh workflow run release-publish.yml --ref "$REF"; then
+      echo "✓ Successfully triggered workflow for $PACKAGE_NAME"
+      exit 0
+    else
+      echo "✗ Failed to trigger workflow for $PACKAGE_NAME"
+      exit 1
+    fi
+  ' || {
+    echo "Error: Some package workflows failed to trigger"
+    exit 1
+  }
+
+echo "----------------------------------------"
+echo "All package release workflows triggered successfully!"
diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
@@ -0,0 +1,149 @@
+name: Dependency Vulnerability Scan
+
+on:
+  schedule:
+    # Run weekly on Mondays at 9:00 UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - '**/pubspec.yaml'
+      - '**/pubspec.lock'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+  issues: write
+
+jobs:
+  scan-dependencies:
+    name: Scan Dependencies for Vulnerabilities
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Dart
+        uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@v2
+        with:
+          cache: true
+
+      - name: Install Melos
+        run: dart pub global activate melos
+
+      - name: Bootstrap workspace
+        run: melos bootstrap
+
+      - name: Check for outdated dependencies
+        id: outdated
+        continue-on-error: true
+        run: |
+          echo "## Outdated Dependencies Report" > outdated_report.md
+          echo "" >> outdated_report.md
+
+          # Check each package for outdated dependencies
+          for package in packages/*/pubspec.yaml; do
+            package_dir=$(dirname "$package")
+            package_name=$(basename "$package_dir")
+
+            echo "### Package: $package_name" >> outdated_report.md
+            echo "" >> outdated_report.md
+
+            cd "$package_dir"
+            if dart pub outdated --json > outdated.json 2>/dev/null; then
+              # Parse and format the outdated dependencies
+              if [ -s outdated.json ]; then
+                echo "\`\`\`" >> ../../outdated_report.md
+                dart pub outdated >> ../../outdated_report.md 2>&1 || true
+                echo "\`\`\`" >> ../../outdated_report.md
+              else
+                echo "✅ All dependencies are up to date" >> ../../outdated_report.md
+              fi
+            else
+              echo "⚠️ Could not check dependencies" >> ../../outdated_report.md
+            fi
+            echo "" >> ../../outdated_report.md
+            cd ../..
+          done
+
+      - name: Run Dart dependency audit
+        id: audit
+        continue-on-error: true
+        run: |
+          echo "## Security Audit Report" > audit_report.md
+          echo "" >> audit_report.md
+
+          # Check each package for security vulnerabilities
+          for package in packages/*/pubspec.yaml; do
+            package_dir=$(dirname "$package")
+            package_name=$(basename "$package_dir")
+
+            echo "### Package: $package_name" >> audit_report.md
+            echo "" >> audit_report.md
+
+            cd "$package_dir"
+            # Note: Using `dart pub get` with vulnerability checking
+            # Dart SDK has built-in vulnerability database
+            if dart pub get 2>&1 | grep -i "vulnerabilit" > /dev/null; then
+              echo "⚠️ Potential vulnerabilities detected:" >> ../../audit_report.md
+              echo "\`\`\`" >> ../../audit_report.md
+              dart pub get 2>&1 | grep -A 5 -i "vulnerabilit" >> ../../audit_report.md || true
+              echo "\`\`\`" >> ../../audit_report.md
+            else
+              echo "✅ No known vulnerabilities detected" >> ../../audit_report.md
+            fi
+            echo "" >> ../../audit_report.md
+            cd ../..
+          done
+
+      - name: Generate workflow summary
+        if: always()
+        run: |
+          echo "## Dependency Vulnerability Scan Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Scan Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
+          echo "**Repository:** ${{ github.repository }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Add outdated dependencies report
+          if [ -f outdated_report.md ]; then
+            cat outdated_report.md >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Add audit report
+          if [ -f audit_report.md ]; then
+            cat audit_report.md >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Overall status
+          if [ "${{ steps.audit.outcome }}" == "success" ] && [ "${{ steps.outdated.outcome }}" == "success" ]; then
+            echo "---" >> $GITHUB_STEP_SUMMARY
+            echo "✅ **Status:** Scan completed successfully" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "---" >> $GITHUB_STEP_SUMMARY
+            echo "⚠️ **Status:** Scan completed with warnings" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-scan-reports-${{ github.run_number }}
+          path: |
+            outdated_report.md
+            audit_report.md
+          retention-days: 30
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -27,11 +27,13 @@ jobs:
           cache: true
 
       - name: Publish to pub.dev
+        id: publish
         uses: bluefireteam/melos-action@v3
         with:
           publish: true
 
       - name: Create GitHub Release
+        id: create_release
         uses: softprops/action-gh-release@v1
         with:
           tag_name: ${{ github.ref_name }}
@@ -49,3 +51,30 @@ jobs:
           prerelease: false
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Generate workflow summary
+        if: always()
+        run: |
+          echo "## Package Release Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Package:** \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          if [ "${{ steps.publish.outcome }}" == "success" ]; then
+            echo "✅ **Pub.dev Publishing:** Success" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ **Pub.dev Publishing:** Failed" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if [ "${{ steps.create_release.outcome }}" == "success" ]; then
+            echo "✅ **GitHub Release:** Success" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ **GitHub Release:** Failed" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.publish.outcome }}" == "success" ] && [ "${{ steps.create_release.outcome }}" == "success" ]; then
+            echo "🎉 Package published successfully!" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ Some steps failed. Please review the logs above." >> $GITHUB_STEP_SUMMARY
+          fi
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -39,9 +39,26 @@ jobs:
         uses: bluefireteam/melos-action@v3
         with:
           tag: true
-      - run: |
-          melos exec -c 1 --no-published --no-private --order-dependents -- \
-          gh workflow run release-publish.yml \
-          --ref \$MELOS_PACKAGE_NAME-v\$MELOS_PACKAGE_VERSION
+
+      - name: Trigger package release workflows
+        id: trigger_releases
+        run: .github/scripts/trigger-package-releases.sh
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Generate workflow summary
+        if: always()
+        run: |
+          echo "## Release Tag Workflow Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.trigger_releases.outcome }}" == "success" ]; then
+            echo "✅ **Status:** All package release workflows triggered successfully" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ **Status:** Failed to trigger some package release workflows" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**Error Details:**" >> $GITHUB_STEP_SUMMARY
+            echo "Please check the logs for the 'Trigger package release workflows' step for more information." >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Commit:** ${{ github.event.head_commit.message }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Ref:** ${{ github.ref }}" >> $GITHUB_STEP_SUMMARY
