Update GitHub Actions #54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| # Cancel in-flight runs for the same workflow + ref. Including | |
| # `github.workflow` in the key keeps this from colliding with any other | |
| # workflow that happens to share a ref-based group prefix. | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Least-privilege: this workflow only reads the repo to lint/build/verify; it | |
| # never writes back. Anything that needs write scopes lives in a separate | |
| # workflow with its own scoped permissions. | |
| permissions: | |
| contents: read | |
| jobs: | |
| ci: | |
| name: Lint, build, verify | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 | |
| with: | |
| bun-version: 1.3.13 | |
| # Bun is the package manager and script runner, but Next.js (and tsc) | |
| # run on Node. The runner image is pinned (ubuntu-24.04) but Node | |
| # version inside it can still drift; pin via .nvmrc so a future | |
| # GitHub bump can't break the build silently. | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| # Cache Bun's resolved package store keyed on the lockfile hash. Cuts | |
| # ~10s off `bun install` on a clean runner; the restore-key falls back | |
| # to any prior cache from this OS so partial hits still help. | |
| - name: Cache Bun install cache | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ~/.bun/install/cache | |
| key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-bun- | |
| # Cache Next.js's incremental build output. Keyed on lockfile + commit | |
| # SHA so the exact-key match is always per-commit fresh; restore-keys | |
| # fall back to any previous build on the same lockfile, then any build | |
| # on this OS — so most CI runs hit a cache and skip rebuilding | |
| # unchanged webpack modules. | |
| - name: Cache Next.js build cache | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ${{ github.workspace }}/.next/cache | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}- | |
| ${{ runner.os }}-nextjs- | |
| - name: Install | |
| run: bun install --frozen-lockfile | |
| - name: Lint + format check | |
| run: bun run check:ci | |
| # Build BEFORE typecheck: the build runs velite (populating .velite/ | |
| # which the `#site/content` path alias resolves to) and produces | |
| # next-env.d.ts. tsc fails without these, so order matters here. | |
| - name: Build | |
| run: bun run build | |
| - name: Type check | |
| run: bun run typecheck | |
| - name: Start server | |
| run: | | |
| bun run start > /tmp/server.log 2>&1 & | |
| echo $! > /tmp/server.pid | |
| for i in $(seq 1 30); do | |
| if curl -sf http://localhost:3000 > /dev/null; then | |
| echo "server ready" | |
| exit 0 | |
| fi | |
| sleep 1 | |
| done | |
| echo "server failed to start in 30s" | |
| cat /tmp/server.log | |
| exit 1 | |
| - name: Verify endpoints | |
| run: bun run verify | |
| # Hard-gates on vulnerable direct/transitive deps. Two advisories are | |
| # ignored because they're upstream-blocked (both via @lhci/cli@0.15.1 | |
| # and resend's transitive svix; both dev-/server-side with no | |
| # exploitable code path) — see CLAUDE.md "Audit advisories" for | |
| # context and removal triggers. Any new advisory fails the job. | |
| - name: Dependency audit | |
| run: bun audit --ignore=GHSA-w5hq-g745-h8pq --ignore=GHSA-52f5-9888-hmc6 | |
| # Playwright browsers are ~250 MB. Cache them keyed on the | |
| # @playwright/test version pinned in package.json — invalidates on | |
| # bumps, hits otherwise. System deps (apt packages) aren't covered by | |
| # the cache, so install those separately even on cache hit (~10s vs | |
| # ~3min for the full install). | |
| - name: Get Playwright version | |
| id: playwright-version | |
| run: | | |
| VERSION=$(grep -oE '"@playwright/test": "[^"]+"' package.json | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Cache Playwright browsers | |
| id: playwright-cache | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | |
| with: | |
| path: ~/.cache/ms-playwright | |
| key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }} | |
| - name: Install Playwright browsers (cache miss) | |
| if: steps.playwright-cache.outputs.cache-hit != 'true' | |
| run: bunx playwright install --with-deps chromium webkit | |
| - name: Install Playwright system deps (cache hit) | |
| if: steps.playwright-cache.outputs.cache-hit == 'true' | |
| run: bunx playwright install-deps chromium webkit | |
| - name: Browser smoke tests | |
| run: bun run test:e2e | |
| - name: Upload Playwright report | |
| if: failure() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: playwright-report | |
| path: playwright-report/ | |
| retention-days: 7 | |
| - name: Stop server | |
| if: always() | |
| run: | | |
| if [ -f /tmp/server.pid ]; then | |
| kill $(cat /tmp/server.pid) 2>/dev/null || true | |
| fi | |
| - name: Server logs (on failure) | |
| if: failure() | |
| run: cat /tmp/server.log || true | |
| # Runs only on PRs (no baseline diff to compute on a push to main). | |
| # Compares the PR's dependency manifest against main and flags | |
| # high-severity advisories or license incompatibilities. Hard-gated to | |
| # match the `bun audit` posture: a PR introducing a new high-severity | |
| # advisory must block merge, not just post a comment. | |
| dependency-review: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: on-failure | |
| # Defense-in-depth on top of GitHub's push protection. Push protection | |
| # covers high-entropy / known-provider patterns at push time; TruffleHog | |
| # re-scans diffs on PRs + push to main, catching secrets that slipped | |
| # past push protection (low-entropy formats, detector patterns added | |
| # after the secret was committed, or push-protection bypass via the | |
| # "I'll fix it later" allow path). | |
| secret-scan: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # TruffleHog diffs base..head and needs the full history present. | |
| fetch-depth: 0 | |
| - name: TruffleHog scan | |
| uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3 | |
| with: | |
| # On PRs: scan the diff between base and head. On push to main: | |
| # scan the previous commit to HEAD. The action infers both from | |
| # the event context. | |
| # --results=verified,unknown drops trufflehog's "unverified" tier | |
| # (pattern-matched but couldn't reach the verifier endpoint) to | |
| # keep noise down without losing coverage of secrets whose | |
| # verifiers don't recognize them yet. | |
| extra_args: --results=verified,unknown |