-
Notifications
You must be signed in to change notification settings - Fork 0
172 lines (150 loc) · 5 KB
/
Copy pathci.yml
File metadata and controls
172 lines (150 loc) · 5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: CI
# -----------------------------------------------------------------------------
# PURPOSE:
# - Runs on all PRs and pushes to non-main branches.
# - Fast, deterministic quality gate: syntax → tests → audit → smoke.
# - Never deploys. Never touches the VPS. Never writes artifacts.
# - Uses the SAME GitHub Actions environment as production for parity.
# - Full deploy pipeline lives in deploy.yml (main branch only).
# -----------------------------------------------------------------------------
on:
pull_request:
push:
branches-ignore: [main]
workflow_dispatch:
permissions:
contents: write
pull-requests: write
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: false
env:
NODE_ENV: test
CI: true
FORCE_COLOR: 0
jobs:
# ---------------------------------------------------------------------------
# Job 1: Validate (syntax, tests, audit)
# ---------------------------------------------------------------------------
validate:
name: Validate
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
# -------------------------------
# Node + npm + cache
# -------------------------------
- name: Setup Node.js 20 (with npm cache)
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
# -------------------------------
# Restore node_modules cache
# -------------------------------
- name: Restore node_modules cache
id: cache-node-modules
uses: actions/cache@v4
with:
path: |
node_modules
key: node-modules-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
restore-keys: |
node-modules-${{ runner.os }}-
- name: Install dependencies (clean, deterministic)
run: |
if [ -d node_modules ]; then
echo "Using cached node_modules"
else
echo "Cache miss — running npm ci"
npm ci --no-audit --no-fund
fi
# -------------------------------
# Syntax / lint / type checks
# -------------------------------
- name: Syntax / lint / type checks
run: npm run check
# -------------------------------
# Unit tests (fail-fast)
# -------------------------------
- name: Run tests
run: npm test
# -------------------------------
# Security audit (warn only)
# -------------------------------
- name: Security audit (high + critical only, non-blocking)
continue-on-error: true
run: |
npm audit --audit-level=high || true
# ---------------------------------------------------------------------------
# Job 2: Smoke test (lightweight integration)
# Uses the SAME Production environment for exact parity.
# Does NOT start listeners or long-running processes.
# ---------------------------------------------------------------------------
smoke:
name: Smoke Test
runs-on: ubuntu-latest
timeout-minutes: 5
needs: validate
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 1
# -------------------------------
# Node + npm + cache
# -------------------------------
- name: Setup Node.js 20 (with npm cache)
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Restore node_modules cache
id: cache-node-modules
uses: actions/cache@v4
with:
path: |
node_modules
key: node-modules-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
restore-keys: |
node-modules-${{ runner.os }}-
- name: Install dependencies (clean)
run: |
if [ -d node_modules ]; then
echo "Using cached node_modules"
else
echo "Cache miss — running npm ci"
npm ci --no-audit --no-fund
fi
# -------------------------------
# Entrypoint integrity
# -------------------------------
- name: Node syntax validation
run: |
node --check index.js
echo "✅ index.js syntax OK"
# -------------------------------
# Require-only smoke (no runtime)
# -------------------------------
- name: Require entrypoint without side effects
env:
BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
DISABLE_RUNTIME: "1"
NODE_ENV: test
run: |
node - <<'EOF'
process.env.CI = 'true'
process.env.DISABLE_RUNTIME = '1'
require('./index.js')
console.log('✅ index.js required successfully (no crash)')
EOF
# -------------------------------
# Dependency tree sanity (fast, non-blocking)
# -------------------------------
- name: Dependency resolution sanity
run: |
npm ls --depth=0 >/dev/null 2>&1 || true