Merge pull request #570 from noelams/feat/route-guard #672

Workflow file for this run

	name: CI

	on:
	push:
	branches: [main, master, feat/dependency-audit-ci, "ci/**"]
	pull_request:
	branches: [main, master, feat/dependency-audit-ci]

	jobs:
	frontend:
	name: Frontend
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: "20"
	cache: "npm"
	cache-dependency-path: frontend/package-lock.json

	- name: Install dependencies
	run: npm ci
	working-directory: frontend

	- name: Security audit (dependencies)
	run: npm audit --omit=dev --audit-level=high
	working-directory: frontend

	- name: Build
	run: npm run build
	working-directory: frontend

	backend:
	name: Backend
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: "20"
	cache: "npm"
	cache-dependency-path: backend/package-lock.json

	- name: Install dependencies
	run: \|
	if [ -f package-lock.json ]; then
	npm ci
	else
	npm install --no-audit --no-fund
	fi
	working-directory: backend

	- name: Security audit (dependencies)
	run: npm audit --omit=dev --audit-level=high
	working-directory: backend

	- name: Build
	run: npm run build
	working-directory: backend

	- name: Run unit tests
	run: npm test
	working-directory: backend
	env:
	JWT_SECRET: ci-test-secret
	DB_HOST: localhost
	DB_PORT: 5432
	DB_USER: postgres
	DB_PASSWORD: postgres
	DB_NAME: myfans

	- name: Validate OpenAPI schema generation
	run: npm run generate:openapi
	working-directory: backend
	env:
	JWT_SECRET: ci-test-secret
	DB_HOST: localhost
	DB_PORT: 5432
	DB_USER: postgres
	DB_PASSWORD: postgres
	DB_NAME: myfans
	SOROBAN_RPC_URL: https://soroban-testnet.stellar.org
	STELLAR_NETWORK: testnet
	WEBHOOK_SECRET: ci-test-secret

	- name: Run E2E tests
	run: npm run test:e2e
	working-directory: backend
	env:
	JWT_SECRET: ci-test-secret
	DB_HOST: localhost
	DB_PORT: 5432
	DB_USER: postgres
	DB_PASSWORD: postgres
	DB_NAME: myfans

	# Single audit job (not duplicated across the toolchain matrix) to save CI time.
	contracts-audit:
	name: Contracts (RustSec audit)
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Install Rust (stable)
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: wasm32-unknown-unknown,wasm32v1-none

	- name: Rust cache
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: contract
	prefix-key: contracts-audit

	- name: Install cargo-audit
	run: cargo install cargo-audit --locked

	- name: Security audit (contracts)
	# Fail on high/critical RustSec advisories as configured in contract/audit.toml.
	run: cargo audit
	working-directory: contract

	contracts-abi:
	name: Contracts (ABI snapshot check)
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Install system dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y libdbus-1-dev libudev-dev pkg-config

	- name: Install Rust (stable)
	uses: dtolnay/rust-toolchain@stable
	with:
	targets: wasm32-unknown-unknown,wasm32v1-none

	- name: Rust cache
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: contract
	prefix-key: contracts-abi

	- name: Cache stellar CLI binary
	id: stellar-abi-cache
	uses: actions/cache@v4
	with:
	path: ~/.cargo/bin/stellar
	key: stellar-cli-25.2.0-${{ runner.os }}-v1

	- name: Install Stellar CLI
	if: steps.stellar-abi-cache.outputs.cache-hit != 'true'
	run: cargo install stellar-cli --locked --version 25.2.0

	- name: Check ABI snapshots
	run: ./scripts/snapshot-abi.sh --check
	working-directory: contract

	contracts:
	name: Contracts (${{ matrix.name }})
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	include:
	# Rust stable × two supported stellar-cli releases
	- name: rust-stable-cli-23
	rust: stable
	stellar_cli: "23.4.1"
	install_targets: wasm32-unknown-unknown,wasm32v1-none
	run_deploy_smoke: true
	- name: rust-stable-cli-25
	rust: stable
	stellar_cli: "25.2.0"
	install_targets: wasm32-unknown-unknown,wasm32v1-none
	run_deploy_smoke: true
	# Minimum supported toolchain in CI (keep aligned with Soroban SDK / MSRV)
	- name: rust-1.82-cli-23
	rust: "1.82"
	stellar_cli: "23.4.1"
	install_targets: wasm32-unknown-unknown
	run_deploy_smoke: false
	- name: rust-1.82-cli-25
	rust: "1.82"
	stellar_cli: "25.2.0"
	install_targets: wasm32-unknown-unknown
	run_deploy_smoke: false
	steps:
	- uses: actions/checkout@v4

	- name: Install system dependencies (for stellar-cli)
	run: \|
	sudo apt-get update
	sudo apt-get install -y libdbus-1-dev libudev-dev pkg-config

	- name: Install Rust (${{ matrix.rust }})
	uses: dtolnay/rust-toolchain@master
	with:
	toolchain: ${{ matrix.rust }}
	targets: ${{ matrix.install_targets }}

	- name: Rust cache
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: contract
	prefix-key: contracts-${{ matrix.name }}

	- name: Build (wasm release, workspace)
	run: cargo build --workspace --target wasm32-unknown-unknown --release
	working-directory: contract

	- name: Run tests (workspace)
	run: cargo test --workspace
	working-directory: contract

	- name: Cache stellar CLI binary
	if: matrix.run_deploy_smoke
	id: stellar-cache
	uses: actions/cache@v4
	with:
	path: ~/.cargo/bin/stellar
	key: stellar-cli-${{ matrix.stellar_cli }}-${{ runner.os }}-v1

	- name: Install Stellar CLI ${{ matrix.stellar_cli }}
	if: matrix.run_deploy_smoke && steps.stellar-cache.outputs.cache-hit != 'true'
	run: cargo install stellar-cli --locked --version ${{ matrix.stellar_cli }}

	- name: Deploy and verify on Futurenet (smoke)
	if: matrix.run_deploy_smoke
	run: \|
	./scripts/deploy.sh \
	--network futurenet \
	--source "ci-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.name }}" \
	--out "./deployed-ci-${{ matrix.name }}.json" \
	--env-out "./.env.deployed-ci-${{ matrix.name }}"
	working-directory: contract

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #570 from noelams/feat/route-guard #672

Workflow file

Merge pull request #570 from noelams/feat/route-guard #672

Uh oh!

Workflow file for this run