-
Notifications
You must be signed in to change notification settings - Fork 1
199 lines (174 loc) · 7.73 KB
/
ci.yml
File metadata and controls
199 lines (174 loc) · 7.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: CI
on:
push:
branches: [main]
pull_request:
# Cancel in-flight runs for the same workflow + ref. Including
# `github.workflow` in the key keeps this from colliding with any other
# workflow that happens to share a ref-based group prefix.
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Least-privilege: this workflow only reads the repo to lint/build/verify; it
# never writes back. Anything that needs write scopes lives in a separate
# workflow with its own scoped permissions.
permissions:
contents: read
jobs:
ci:
name: Lint, build, verify
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: 1.3.13
# Bun is the package manager and script runner, but Next.js (and tsc)
# run on Node. The runner image is pinned (ubuntu-24.04) but Node
# version inside it can still drift; pin via .nvmrc so a future
# GitHub bump can't break the build silently.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: .nvmrc
# Cache Bun's resolved package store keyed on the lockfile hash. Cuts
# ~10s off `bun install` on a clean runner; the restore-key falls back
# to any prior cache from this OS so partial hits still help.
- name: Cache Bun install cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
# Cache Next.js's incremental build output. Keyed on lockfile + commit
# SHA so the exact-key match is always per-commit fresh; restore-keys
# fall back to any previous build on the same lockfile, then any build
# on this OS — so most CI runs hit a cache and skip rebuilding
# unchanged webpack modules.
- name: Cache Next.js build cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ github.workspace }}/.next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-
${{ runner.os }}-nextjs-
- name: Install
run: bun install --frozen-lockfile
- name: Lint + format check
run: bun run check:ci
# Build BEFORE typecheck: the build runs velite (populating .velite/
# which the `#site/content` path alias resolves to) and produces
# next-env.d.ts. tsc fails without these, so order matters here.
- name: Build
run: bun run build
- name: Type check
run: bun run typecheck
- name: Start server
run: |
bun run start > /tmp/server.log 2>&1 &
echo $! > /tmp/server.pid
for i in $(seq 1 30); do
if curl -sf http://localhost:3000 > /dev/null; then
echo "server ready"
exit 0
fi
sleep 1
done
echo "server failed to start in 30s"
cat /tmp/server.log
exit 1
- name: Verify endpoints
run: bun run verify
# Hard-gates on vulnerable direct/transitive deps. Two advisories are
# ignored because they're upstream-blocked (both via @lhci/cli@0.15.1
# and resend's transitive svix; both dev-/server-side with no
# exploitable code path) — see CLAUDE.md "Audit advisories" for
# context and removal triggers. Any new advisory fails the job.
- name: Dependency audit
run: bun audit --ignore=GHSA-w5hq-g745-h8pq --ignore=GHSA-52f5-9888-hmc6
# Playwright browsers are ~250 MB. Cache them keyed on the
# @playwright/test version pinned in package.json — invalidates on
# bumps, hits otherwise. System deps (apt packages) aren't covered by
# the cache, so install those separately even on cache hit (~10s vs
# ~3min for the full install).
- name: Get Playwright version
id: playwright-version
run: |
VERSION=$(grep -oE '"@playwright/test": "[^"]+"' package.json | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Cache Playwright browsers
id: playwright-cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}
- name: Install Playwright browsers (cache miss)
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: bunx playwright install --with-deps chromium webkit
- name: Install Playwright system deps (cache hit)
if: steps.playwright-cache.outputs.cache-hit == 'true'
run: bunx playwright install-deps chromium webkit
- name: Browser smoke tests
run: bun run test:e2e
- name: Upload Playwright report
if: failure()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: playwright-report
path: playwright-report/
retention-days: 7
- name: Stop server
if: always()
run: |
if [ -f /tmp/server.pid ]; then
kill $(cat /tmp/server.pid) 2>/dev/null || true
fi
- name: Server logs (on failure)
if: failure()
run: cat /tmp/server.log || true
# Runs only on PRs (no baseline diff to compute on a push to main).
# Compares the PR's dependency manifest against main and flags
# high-severity advisories or license incompatibilities. Hard-gated to
# match the `bun audit` posture: a PR introducing a new high-severity
# advisory must block merge, not just post a comment.
dependency-review:
if: github.event_name == 'pull_request'
runs-on: ubuntu-24.04
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Dependency Review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
with:
fail-on-severity: high
comment-summary-in-pr: on-failure
# Defense-in-depth on top of GitHub's push protection. Push protection
# covers high-entropy / known-provider patterns at push time; TruffleHog
# re-scans diffs on PRs + push to main, catching secrets that slipped
# past push protection (low-entropy formats, detector patterns added
# after the secret was committed, or push-protection bypass via the
# "I'll fix it later" allow path).
secret-scan:
runs-on: ubuntu-24.04
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# TruffleHog diffs base..head and needs the full history present.
fetch-depth: 0
- name: TruffleHog scan
uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
with:
# On PRs: scan the diff between base and head. On push to main:
# scan the previous commit to HEAD. The action infers both from
# the event context.
# --results=verified,unknown drops trufflehog's "unverified" tier
# (pattern-matched but couldn't reach the verifier endpoint) to
# keep noise down without losing coverage of secrets whose
# verifiers don't recognize them yet.
extra_args: --results=verified,unknown