-
Notifications
You must be signed in to change notification settings - Fork 3
185 lines (163 loc) · 7.45 KB
/
Copy pathci.yml
File metadata and controls
185 lines (163 loc) · 7.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: CI
on:
push:
branches: [main, worktree-chore-pr-review]
pull_request:
branches: [main]
jobs:
terminology-guard:
name: Terminology Guard - No Internal Thing Model Terms in Product Surfaces
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Terminology guard self-test (detector canary)
run: ./scripts/check-terminology.sh --selftest
- name: Terminology check
run: ./scripts/check-terminology.sh
governance-lints:
name: Governance Lints - Arch-Doc Triggers, Migration Timestamps, i18n, TZ, Code Bindings
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
# Need full clone for `git ls-files` + `git show :path` patterns
# used by check-no-redis-pubsub.mjs / check-hardcoded-agent-paths.mjs.
fetch-depth: 0
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
- run: npm ci
# Arch-doc trigger-map lockstep: every docs/developers/architecture/**/*-architecture.md
# must have a row in architecture-doc-triggers.md (and vice versa).
- name: Arch-doc triggers lockstep
run: node scripts/check-arch-doc-triggers.mjs
# NOTE: the e2e release-gate checks (npm run check:e2e-matrix,
# check:iam-routes) and the e2e RUNS (tests/run-all.sh --blocking /
# --nightly, the L5 scenarios) are deliberately NOT wired here. The e2e
# gate is run MANUALLY, post-release, under human control — not as an
# automatic CI/CD gate. Invoke it on demand via tests/run-all.sh.
# i18n key parity across en/zh/es bundles.
- name: i18n parity
run: node scripts/check-i18n-parity.mjs
# Timezone-handling correctness.
- name: Timezone correctness
run: bash scripts/check-timezone-correctness.sh
# Code-binding lints (STRICT mode — net-new violations fail CI).
# All bindings are currently clean as of the docs+governance
# program closeout commit a254e350.
- name: useApi queryKey shape (strict)
run: node scripts/check-useapi-querykey.mjs --strict
- name: No Redis pub/sub (strict)
run: node scripts/check-no-redis-pubsub.mjs --strict
- name: packages/ui-shared boundary (strict)
run: node scripts/check-ui-shared-boundary.mjs --strict
- name: Sidebar icon mapping (strict)
run: node scripts/check-sidebar-icon-mapping.mjs --strict
- name: Hardcoded agent paths (strict)
run: node scripts/check-hardcoded-agent-paths.mjs --strict
- name: No placeholder markers in production Go (strict)
run: node scripts/check-no-prod-todos.mjs --strict
- name: No program refs in comments (strict)
run: node scripts/check-comment-program-refs.mjs --strict
- name: No inline secrets in yaml (strict)
run: node scripts/check-no-yaml-secrets.mjs --strict
- name: File-size ratchet (full sweep)
run: bash scripts/check-file-size-ratchet.sh
frontend:
name: Frontend - Type Check, Test, Build (control-plane-ui + ui-shared)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
- run: npm ci
- name: JSON duplicate key guard selftest
run: node scripts/check-json-dupkeys.mjs --selftest
- name: JSON duplicate key check (locale files)
run: node scripts/check-json-dupkeys.mjs
- name: Design-token compliance (theme/mode safety)
run: node scripts/check-design-tokens.mjs
# ui-shared is consumed by control-plane-ui (and the agent UI); gate its
# own type-check + unit tests, not just the boundary lint in governance.
- name: ui-shared — type check + test
run: cd packages/ui-shared && npm run typecheck && npm test
- run: cd packages/control-plane-ui && npx tsc --noEmit
- run: cd packages/control-plane-ui && npx vitest run
- run: cd packages/control-plane-ui && npx vite build
# Go build+test lives entirely in the `Go CI` workflow (go-ci.yml): a
# path-filtered, per-module matrix that builds + `go test -race` + `GOWORK=off`
# builds ALL eight modules (and tests every module on a shared/ or go.work
# change), plus lint, core-path coverage, the Wails agent UI, and workspace
# integrity. A partial always-on duplicate here only re-ran a subset and gave
# a misleading "Go - Build & Test" signal, so it was removed.
db-migrate:
name: DB Migrate - Seed Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
- run: npm ci
# The seed modules import @prisma/client; generate it from the schema/
# folder. Codegen does not connect, but prisma.config.ts eagerly resolves
# DATABASE_URL, so a placeholder is supplied for this step only.
- name: Prisma generate (schema/ folder)
run: cd tools/db-migrate && npx prisma generate
env:
DATABASE_URL: postgresql://placeholder:placeholder@localhost:5432/placeholder?sslmode=disable
# Reference/bootstrap/demo re-stamp unit tests run here. DATABASE_URL is
# intentionally NOT set so the *.integration arms self-skip (DB-backed,
# covered by live runs); setting it would make them try to connect.
- name: Seed unit tests
run: cd tools/db-migrate && npm test
security-scan:
name: Security Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
# Pinned (not `stable`) so the govulncheck gate is reproducible:
# the toolchain's own stdlib is what govulncheck scans, so a
# floating `stable` that lags behind a patch release makes the
# gate flap. 1.26.4 carries the fixes for all standard-library
# advisories currently reachable from our code (GO-2026-4918 →
# GO-2026-5039). Bump this when govulncheck flags a newer one.
go-version: '1.26.4'
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
- name: Install tools
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: govulncheck
run: |
for m in shared nexus-hub control-plane ai-gateway compliance-proxy; do
echo "=== govulncheck $m ===" && (cd packages/$m && govulncheck ./...)
done
- name: gosec
run: |
for m in shared nexus-hub control-plane ai-gateway; do
echo "=== gosec $m ===" && (cd packages/$m && gosec -quiet ./...)
done
continue-on-error: true
- name: npm audit
run: npm ci && npm audit --audit-level=high
continue-on-error: true
# Agent platform builds (macOS .pkg, Windows .msi) intentionally NOT
# run here. The Nexus Agent ships as a fork-and-build artifact per
# enterprise deployment, not as an org-published binary, so building
# .pkg / .msi on every push is wasted CI minutes + a fragile drag
# on the dev loop (Xcode toolchain drift, WiX OSMF EULA, kernel-
# driver schema changes, wails version pins). Agent Go code is
# still validated by `Go CI` (go vet + go build + go test on
# packages/agent/**). Enterprise forks that need cross-platform
# packaging triggers can run `agent-release.yml` via
# workflow_dispatch.