Skip to content

Commit a3dec04

Browse files
jimgqyujimgqyu
committed
first commit
0 parents  commit a3dec04

437 files changed

Lines changed: 97861 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yml

Lines changed: 287 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,287 @@
1+
name: CI
2+
3+
on:
4+
push:
5+
branches: [main, develop]
6+
pull_request:
7+
branches: [main]
8+
9+
env:
10+
PNPM_VERSION: '9.15.4'
11+
NODE_VERSION: '22'
12+
13+
concurrency:
14+
group: ${{ github.workflow }}-${{ github.ref }}
15+
cancel-in-progress: true
16+
17+
jobs:
18+
# ═══════════════════════════════════════════════════════════════════════════
19+
# Lint & Format Check
20+
# ═══════════════════════════════════════════════════════════════════════════
21+
lint:
22+
name: Lint & Format
23+
runs-on: ubuntu-latest
24+
timeout-minutes: 10
25+
steps:
26+
- uses: actions/checkout@v4
27+
28+
- uses: pnpm/action-setup@v4
29+
with:
30+
version: ${{ env.PNPM_VERSION }}
31+
32+
- uses: actions/setup-node@v4
33+
with:
34+
node-version: ${{ env.NODE_VERSION }}
35+
cache: 'pnpm'
36+
37+
- name: Install dependencies
38+
run: pnpm install --frozen-lockfile
39+
40+
- name: Run ESLint
41+
run: pnpm lint
42+
43+
- name: Check formatting
44+
run: pnpm format:check
45+
46+
# ═══════════════════════════════════════════════════════════════════════════
47+
# Type Check
48+
# ═══════════════════════════════════════════════════════════════════════════
49+
type-check:
50+
name: Type Check
51+
runs-on: ubuntu-latest
52+
timeout-minutes: 10
53+
steps:
54+
- uses: actions/checkout@v4
55+
56+
- uses: pnpm/action-setup@v4
57+
with:
58+
version: ${{ env.PNPM_VERSION }}
59+
60+
- uses: actions/setup-node@v4
61+
with:
62+
node-version: ${{ env.NODE_VERSION }}
63+
cache: 'pnpm'
64+
65+
- name: Install dependencies
66+
run: pnpm install --frozen-lockfile
67+
68+
- name: Run TypeScript compiler
69+
run: pnpm type-check
70+
71+
# ═══════════════════════════════════════════════════════════════════════════
72+
# Unit Tests — Run per package × per Node.js version matrix
73+
# ═══════════════════════════════════════════════════════════════════════════
74+
test:
75+
name: Test (${{ matrix.package }} / Node ${{ matrix.node-version }})
76+
runs-on: ubuntu-latest
77+
timeout-minutes: 15
78+
strategy:
79+
fail-fast: false
80+
matrix:
81+
node-version: [18, 20, 22]
82+
package:
83+
- shared
84+
- core
85+
- tools
86+
- provider
87+
- cli
88+
steps:
89+
- uses: actions/checkout@v4
90+
91+
- uses: pnpm/action-setup@v4
92+
with:
93+
version: ${{ env.PNPM_VERSION }}
94+
95+
- uses: actions/setup-node@v4
96+
with:
97+
node-version: ${{ matrix.node-version }}
98+
cache: 'pnpm'
99+
100+
- name: Install dependencies
101+
run: pnpm install --frozen-lockfile
102+
103+
- name: Run tests for @kode/${{ matrix.package }} (Node ${{ matrix.node-version }})
104+
run: pnpm --filter @kode/${{ matrix.package }} test -- --coverage
105+
106+
- name: Upload coverage
107+
if: always()
108+
uses: actions/upload-artifact@v4
109+
with:
110+
name: coverage-${{ matrix.package }}
111+
path: packages/${{ matrix.package }}/coverage/
112+
retention-days: 7
113+
114+
# ═══════════════════════════════════════════════════════════════════════════
115+
# Coverage Report — aggregate and verify thresholds
116+
# ═══════════════════════════════════════════════════════════════════════════
117+
coverage:
118+
name: Coverage Report
119+
runs-on: ubuntu-latest
120+
timeout-minutes: 15
121+
needs: test
122+
steps:
123+
- uses: actions/checkout@v4
124+
125+
- uses: pnpm/action-setup@v4
126+
with:
127+
version: ${{ env.PNPM_VERSION }}
128+
129+
- uses: actions/setup-node@v4
130+
with:
131+
node-version: ${{ env.NODE_VERSION }}
132+
cache: 'pnpm'
133+
134+
- name: Install dependencies
135+
run: pnpm install --frozen-lockfile
136+
137+
- name: Run tests with coverage
138+
run: pnpm test:coverage
139+
140+
- name: Upload combined coverage
141+
uses: actions/upload-artifact@v4
142+
with:
143+
name: coverage-report
144+
path: coverage/
145+
retention-days: 14
146+
147+
# ═══════════════════════════════════════════════════════════════════════════
148+
# Build — verify all packages build successfully
149+
# ═══════════════════════════════════════════════════════════════════════════
150+
build:
151+
name: Build
152+
runs-on: ubuntu-latest
153+
timeout-minutes: 10
154+
steps:
155+
- uses: actions/checkout@v4
156+
157+
- uses: pnpm/action-setup@v4
158+
with:
159+
version: ${{ env.PNPM_VERSION }}
160+
161+
- uses: actions/setup-node@v4
162+
with:
163+
node-version: ${{ env.NODE_VERSION }}
164+
cache: 'pnpm'
165+
166+
- name: Install dependencies
167+
run: pnpm install --frozen-lockfile
168+
169+
- name: Build all packages
170+
run: pnpm build
171+
172+
# ═══════════════════════════════════════════════════════════════════════════
173+
# Security Scan
174+
# ═══════════════════════════════════════════════════════════════════════════
175+
security:
176+
name: Security Scan
177+
runs-on: ubuntu-latest
178+
timeout-minutes: 10
179+
steps:
180+
- uses: actions/checkout@v4
181+
182+
- uses: pnpm/action-setup@v4
183+
with:
184+
version: ${{ env.PNPM_VERSION }}
185+
186+
- uses: actions/setup-node@v4
187+
with:
188+
node-version: ${{ env.NODE_VERSION }}
189+
cache: 'pnpm'
190+
191+
- name: Install dependencies
192+
run: pnpm install --frozen-lockfile
193+
194+
- name: Run npm audit
195+
run: pnpm audit --audit-level=high
196+
continue-on-error: true
197+
198+
- name: Initialize CodeQL
199+
uses: github/codeql-action/init@v3
200+
with:
201+
languages: javascript-typescript
202+
203+
- name: Perform CodeQL Analysis
204+
uses: github/codeql-action/analyze@v3
205+
206+
# ═══════════════════════════════════════════════════════════════════════════
207+
# Integration Tests — Docker sandbox + full Agent Loop
208+
# ═══════════════════════════════════════════════════════════════════════════
209+
integration:
210+
name: Integration Tests
211+
runs-on: ubuntu-latest
212+
timeout-minutes: 20
213+
needs: build
214+
steps:
215+
- uses: actions/checkout@v4
216+
217+
- uses: pnpm/action-setup@v4
218+
with:
219+
version: ${{ env.PNPM_VERSION }}
220+
221+
- uses: actions/setup-node@v4
222+
with:
223+
node-version: ${{ env.NODE_VERSION }}
224+
cache: 'pnpm'
225+
226+
- name: Install dependencies
227+
run: pnpm install --frozen-lockfile
228+
229+
- name: Build all packages
230+
run: pnpm build
231+
232+
- name: Run integration tests (Docker sandbox)
233+
run: pnpm test:integration
234+
env:
235+
KODE_SANDBOX_MODE: 'docker'
236+
237+
# ═══════════════════════════════════════════════════════════════════════════
238+
# Sandbox Escape Detection — verify no breakout vectors
239+
# ═══════════════════════════════════════════════════════════════════════════
240+
sandbox-check:
241+
name: Sandbox Escape Detection
242+
runs-on: ubuntu-latest
243+
timeout-minutes: 10
244+
needs: build
245+
steps:
246+
- uses: actions/checkout@v4
247+
248+
- uses: pnpm/action-setup@v4
249+
with:
250+
version: ${{ env.PNPM_VERSION }}
251+
252+
- uses: actions/setup-node@v4
253+
with:
254+
node-version: ${{ env.NODE_VERSION }}
255+
cache: 'pnpm'
256+
257+
- name: Install dependencies
258+
run: pnpm install --frozen-lockfile
259+
260+
- name: Build all packages
261+
run: pnpm build
262+
263+
- name: Run sandbox escape test suite
264+
run: pnpm --filter @kode/cli test -- --grep 'sandbox|escape|isolation'
265+
266+
# ═══════════════════════════════════════════════════════════════════════════
267+
# CI Summary — gate on all checks
268+
# ═══════════════════════════════════════════════════════════════════════════
269+
ci-pass:
270+
name: CI Pass
271+
runs-on: ubuntu-latest
272+
timeout-minutes: 5
273+
needs: [lint, type-check, test, coverage, build, security, integration, sandbox-check]
274+
if: always()
275+
steps:
276+
- name: Check results
277+
run: |
278+
echo "## CI Results" >> $GITHUB_STEP_SUMMARY
279+
for job in lint type-check test coverage build security integration sandbox-check; do
280+
result="${{ needs.$job.result }}"
281+
echo "- **$job**: $result" >> $GITHUB_STEP_SUMMARY
282+
if [ "$result" != "success" ] && [ "$result" != "skipped" ]; then
283+
echo "Job $job failed with result: $result"
284+
exit 1
285+
fi
286+
done
287+
echo "All CI checks passed!"

.github/workflows/release.yml

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
name: Release
2+
3+
on:
4+
push:
5+
tags: ["v*"]
6+
7+
env:
8+
PNPM_VERSION: '9.15.4'
9+
NODE_VERSION: '22'
10+
11+
permissions:
12+
contents: write
13+
packages: write
14+
15+
jobs:
16+
# ═══════════════════════════════════════════════════════════════════════════
17+
# Full CI gate before publishing
18+
# ═══════════════════════════════════════════════════════════════════════════
19+
gate:
20+
name: Pre-release CI Gate
21+
runs-on: ubuntu-latest
22+
timeout-minutes: 15
23+
steps:
24+
- uses: actions/checkout@v4
25+
26+
- uses: pnpm/action-setup@v4
27+
with:
28+
version: ${{ env.PNPM_VERSION }}
29+
30+
- uses: actions/setup-node@v4
31+
with:
32+
node-version: ${{ env.NODE_VERSION }}
33+
cache: 'pnpm'
34+
35+
- name: Install dependencies
36+
run: pnpm install --frozen-lockfile
37+
38+
- name: Lint
39+
run: pnpm lint
40+
41+
- name: Type check
42+
run: pnpm type-check
43+
44+
- name: Build all packages
45+
run: pnpm build
46+
47+
- name: Run tests
48+
run: pnpm test
49+
50+
# ═══════════════════════════════════════════════════════════════════════════
51+
# Publish all packages to npm
52+
# ═══════════════════════════════════════════════════════════════════════════
53+
publish:
54+
name: Publish to npm
55+
runs-on: ubuntu-latest
56+
timeout-minutes: 15
57+
needs: gate
58+
steps:
59+
- uses: actions/checkout@v4
60+
with:
61+
fetch-depth: 0 # needed for changelog generation
62+
63+
- uses: pnpm/action-setup@v4
64+
with:
65+
version: ${{ env.PNPM_VERSION }}
66+
67+
- uses: actions/setup-node@v4
68+
with:
69+
node-version: ${{ env.NODE_VERSION }}
70+
registry-url: 'https://registry.npmjs.org'
71+
cache: 'pnpm'
72+
73+
- name: Install dependencies
74+
run: pnpm install --frozen-lockfile
75+
76+
- name: Build all packages
77+
run: pnpm build
78+
79+
- name: Generate CHANGELOG
80+
run: ./scripts/changelog.sh "${{ github.ref_name }}"
81+
82+
- name: Publish packages
83+
run: ./scripts/publish.sh
84+
env:
85+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
86+
87+
- name: Create GitHub Release
88+
uses: softprops/action-gh-release@v2
89+
with:
90+
tag_name: ${{ github.ref_name }}
91+
name: ${{ github.ref_name }}
92+
body_path: CHANGELOG.md
93+
generate_release_notes: false
94+
draft: false
95+
prerelease: ${{ contains(github.ref_name, '-rc') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-alpha') }}

0 commit comments

Comments
 (0)