devtrack/.github/workflows/ci.yml at main · Umbrella-io/devtrack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
    types: [opened, synchronize, reopened]

# Cancel outdated runs on the same PR/branch to save CI minutes.
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  typecheck:
    name: Type check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci || (npm cache clean --force && npm ci)

      - name: Run tsc
        run: npm run type-check

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci || (npm cache clean --force && npm ci)

      - name: Run ESLint
        run: npm run lint

  test-coverage:
    name: Test coverage
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci || (npm cache clean --force && npm ci)

      - name: Run Vitest with coverage
        id: coverage
        continue-on-error: true
        run: npm run test:coverage

      - name: Warn when coverage is below soft threshold
        run: |
          node -e "const fs = require('fs'); const threshold = 60; const file = 'coverage/coverage-summary.json'; if (!fs.existsSync(file)) { console.log('::warning title=Coverage report unavailable::Vitest did not produce a coverage summary. This warning does not fail CI.'); process.exit(0); } const summary = JSON.parse(fs.readFileSync(file, 'utf8')); const pct = summary.total.lines.pct; if (pct < threshold) { console.log('::warning title=Coverage below soft threshold::Line coverage is ' + pct + '%, below the soft target of ' + threshold + '%. This warning does not fail CI.'); } else { console.log('Line coverage is ' + pct + '%, meeting the soft target of ' + threshold + '%.'); }"

      - name: Upload coverage to Codecov
        if: hashFiles('coverage/lcov.info') != ''
        uses: codecov/codecov-action@v7
        with:
          files: ./coverage/lcov.info
          flags: unit
          name: devtrack-vitest
          fail_ci_if_error: false
          use_oidc: true

  build:
    name: Build
    runs-on: ubuntu-latest
    env:
      # Dummy values: API routes are force-dynamic and only run at request time.
      NEXTAUTH_SECRET: ci-placeholder-secret-that-is-long-enough-32c
      NEXTAUTH_URL: http://localhost:3000
      GITHUB_ID: ci-placeholder
      GITHUB_SECRET: ci-placeholder
      NEXT_PUBLIC_SUPABASE_URL: https://placeholder.supabase.co
      NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder-anon-key
      SUPABASE_SERVICE_ROLE_KEY: placeholder-service-key
      NEXT_PUBLIC_APP_URL: http://localhost:3000
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci || (npm cache clean --force && npm ci)

      - name: Build Next.js app
        run: npm run build

  dep-check:
    name: Dependency audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: actions/setup-node@v6
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci || (npm cache clean --force && npm ci)

      - name: Check all imports exist in package.json
        run: node scripts/check-deps.js

  env-security:
    name: Environment security check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Check SERVICE_ROLE_KEY exposure
        run: bash scripts/check-env-security.sh

  ci-pass:
    name: CI passed
    runs-on: ubuntu-latest
    needs: [typecheck, lint, build, dep-check, env-security]
    if: always()
    steps:
      - name: Check all jobs passed
        run: |
          if [[ "${{ needs.typecheck.result }}" != "success" ||
                "${{ needs.lint.result }}" != "success" ||
                "${{ needs.build.result }}" != "success" ||
                "${{ needs.dep-check.result }}" != "success" ||
                "${{ needs.env-security.result }}" != "success" ]]; then
            echo "One or more CI jobs failed."
            exit 1
          fi
          echo "All CI jobs passed."