core/.github/workflows/ci-dev.yml at dev · LeCircographe-asso/core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# CI unique pour la branche dev : lint + sécurité + tests en parallèle (un seul run GitHub Actions).
# Permissions minimales (contents: read) — pas d’écriture dépôt ; artefact tests seulement.
name: ci-dev

on:
  push:
    branches: [dev]
  pull_request:
    branches: [dev]

permissions:
  contents: read

concurrency:
  group: ci-dev-${{ github.ref }}
  cancel-in-progress: true

jobs:
  changes:
    runs-on: ubuntu-latest
    outputs:
      code: ${{ steps.filter.outputs.code }}
    steps:
      - uses: actions/checkout@v6
      - uses: dorny/paths-filter@v4
        id: filter
        with:
          filters: |
            code:
              - 'app/**'
              - 'bin/**'
              - 'config/**'
              - 'db/**'
              - 'lib/**'
              - 'public/**'
              - 'spec/**'
              - 'Gemfile'
              - 'Gemfile.lock'
              - 'package.json'
              - 'yarn.lock'
              - 'Procfile*'
              - 'tailwind.config.js'
              - 'Dockerfile*'
              - '.rubocop.yml'
              - '.ruby-version'
              - '.node-version'
              - 'config.ru'
              - 'Rakefile'
              - '.github/workflows/**'

  lint:
    needs: changes
    if: needs.changes.outputs.code == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: "4.0.1"
          bundler-cache: true
      - uses: actions/setup-node@v6
        with:
          node-version: "22"
      - name: RuboCop
        run: bin/rubocop --format github --force-exclusion

  security:
    needs: changes
    if: needs.changes.outputs.code == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: "4.0.1"
          bundler-cache: true
      - name: Brakeman
        run: bin/brakeman --no-pager
      - name: Bundler Audit
        run: bundle exec bundle-audit check --update

  test:
    needs: changes
    if: needs.changes.outputs.code == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: "4.0.1"
          bundler-cache: true
      - uses: actions/setup-node@v6
        with:
          node-version: "22"
      - name: Build Tailwind CSS
        run: bundle exec rails tailwindcss:build
      - name: Prepare test databases
        run: RAILS_ENV=test bin/rails db:prepare
      - name: Run full test suite with coverage
        env:
          CI: true
        run: |
          mkdir -p tmp
          bin/rspec --format progress --format json --out tmp/rspec.json
      - name: Verify coverage threshold
        run: |
          COVERAGE=$(ruby -rjson -e 'f="coverage/.last_run.json"; puts(File.exist?(f) ? JSON.parse(File.read(f)).dig("result","line").to_f : 0)')
          echo "Coverage: ${COVERAGE}%"
          awk "BEGIN {exit !(${COVERAGE} >= 58)}"
      - name: Upload test results
        if: always()
        uses: actions/upload-artifact@v7
        with:
          name: test-results
          path: |
            tmp/rspec.json
            coverage
          if-no-files-found: warn
          retention-days: 7