task complete: a674b589-c4b9-4b2a-a222-03c789815a6c (#221) #611
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| build: | |
| name: Build (TypeScript strict) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 | |
| with: | |
| bun-version: "1.3.10" | |
| - run: bun install --frozen-lockfile | |
| - run: bun run build | |
| lint: | |
| name: Lint (Biome) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 | |
| with: | |
| bun-version: "1.3.10" | |
| - run: bun install --frozen-lockfile | |
| - run: bun run lint:ci | |
| test: | |
| name: Unit & Integration Tests | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 | |
| with: | |
| bun-version: "1.3.10" | |
| - run: bun install --frozen-lockfile | |
| - run: bun run build | |
| - run: | | |
| chmod +x packages/cli/test/fakes/nono/bin/nono 2>/dev/null || true | |
| - run: bun run test | |
| audit: | |
| name: Dependency Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 | |
| with: | |
| bun-version: "1.3.10" | |
| - run: bun install --frozen-lockfile | |
| - name: Check for known vulnerabilities | |
| run: bun audit | |
| docker: | |
| name: Docker Integration | |
| needs: test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Run tests in Docker | |
| run: docker compose run --rm test | |
| binary-smoke: | |
| name: Binary Smoke Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 | |
| with: | |
| bun-version: 1.3.10 | |
| - run: bun install --frozen-lockfile | |
| - name: Build agent package (required by CLI compile) | |
| run: cd packages/agent && bun run build | |
| - name: Build compiled binary | |
| run: | | |
| PKG_VERSION=$(node -p "require('./packages/cli/package.json').version") | |
| cd packages/cli && bun build --compile bin/tps.ts --target=bun-linux-x64 --define "INJECTED_VERSION=\"$PKG_VERSION\"" --outfile=dist/tps-smoke | |
| - name: Smoke test | |
| run: ./packages/cli/dist/tps-smoke --version | |
| # SAST (Static Application Security Testing) using Semgrep. | |
| # Semgrep scans the codebase for security vulnerabilities, hardcoded secrets, and bad practices | |
| # using pattern matching. It is fast and catches common mistakes. | |
| sast-semgrep: | |
| name: Semgrep SAST | |
| runs-on: ubuntu-latest | |
| # Known false positives excluded via --exclude-rule flags above | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - run: python3 -m pip install semgrep | |
| - run: > | |
| semgrep scan --config=auto --error | |
| --exclude='**/test/**' --exclude='**/dist/**' | |
| --exclude-rule javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp | |
| --exclude-rule javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring | |
| --exclude-rule javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length | |
| # SAST using CodeQL. | |
| # CodeQL performs deep semantic code analysis and taint tracking (e.g. tracking unvalidated user | |
| # input from an API endpoint all the way to a filesystem call). It catches complex logic flaws | |
| # that pattern-matching tools like Semgrep might miss. | |
| sast-codeql: | |
| name: CodeQL SAST | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: javascript-typescript | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 |