-
Notifications
You must be signed in to change notification settings - Fork 0
193 lines (162 loc) · 5.83 KB
/
Copy pathci.yml
File metadata and controls
193 lines (162 loc) · 5.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
# Skip workflow for documentation-only changes
paths-ignore:
- 'docs/**'
- '*.md'
- '.gitignore'
- 'LICENSE'
- '.prettierignore'
- '.eslintrc*'
# P5 §4: SonarQube 2x/semana (seg + qui 09:03 UTC)
schedule:
- cron: '3 9 * * 1,4'
workflow_dispatch:
env:
HUSKY: '0'
jobs:
quality:
name: Quality Gates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install dependencies
run: npm ci --legacy-peer-deps
- name: Security audit
run: npm audit --audit-level=high
# Dependabot only touches package.json — skip source-code checks
- name: Lint
if: github.event.pull_request == null || github.event.pull_request.user.login != 'dependabot[bot]'
run: npm run lint
- name: Format check
if: github.event.pull_request == null || github.event.pull_request.user.login != 'dependabot[bot]'
run: npm run format:check
- name: Typecheck
if: github.event.pull_request == null || github.event.pull_request.user.login != 'dependabot[bot]'
run: npm run typecheck
fallow:
name: Fallow - Codebase Intelligence
runs-on: ubuntu-latest
# Run on PRs and pushes, but don't block the pipeline initially
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for churn analysis
- name: Fallow - Codebase Intelligence
uses: fallow-rs/fallow@v2.89.0
with:
fail-on-issues: 'false'
comment: 'true'
review-comments: 'false'
test:
name: Tests & Coverage
runs-on: ubuntu-latest
needs: quality
# Skip for dependency-only bumps (Dependabot PRs)
# Uses PR author, not trigger actor — works even when human reopens the PR
if: github.event.pull_request == null || github.event.pull_request.user.login != 'dependabot[bot]'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install dependencies
run: npm ci --legacy-peer-deps
- name: Run tests with coverage
run: npm run test:coverage
- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@713881670b6b3676cda39549040e2d88c70d582e
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Upload coverage report
uses: actions/upload-artifact@v4
if: always()
with:
name: coverage-report
path: coverage/
retention-days: 7
e2e:
name: E2E Tests
runs-on: ubuntu-latest
needs: test
# Same condition: skip for Dependabot PRs
if: github.event.pull_request == null || github.event.pull_request.user.login != 'dependabot[bot]'
env:
SUPABASE_LOCAL_ANON_KEY: ''
SUPABASE_LOCAL_SERVICE_ROLE_KEY: ''
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install dependencies
run: npm ci --legacy-peer-deps
- name: Install Playwright browsers
run: npx playwright install chromium --with-deps
- name: Setup Supabase CLI
uses: supabase/setup-cli@v1
with:
version: latest
- name: Start local Supabase
run: supabase start
- name: Export Supabase keys
run: |
STATUS_ENV=$(supabase status --output env 2>/dev/null || echo "")
ANON_KEY=$(echo "$STATUS_ENV" | grep "^ANON_KEY=" | cut -d= -f2- | sed "s/^[\"']//; s/[\"']$//")
SERVICE_KEY=$(echo "$STATUS_ENV" | grep "^SERVICE_ROLE_KEY=" | cut -d= -f2- | sed "s/^[\"']//; s/[\"']$//")
if [ -z "$ANON_KEY" ] || [ -z "$SERVICE_KEY" ]; then
echo "ERROR: Could not extract Supabase keys from 'supabase status --output env'"
supabase status
exit 1
fi
echo "SUPABASE_LOCAL_ANON_KEY=$ANON_KEY" >> $GITHUB_ENV
echo "SUPABASE_LOCAL_SERVICE_ROLE_KEY=$SERVICE_KEY" >> $GITHUB_ENV
- name: Push database schema
env:
DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:54322/postgres
run: npx prisma db push --accept-data-loss
- name: Seed E2E test users
env:
DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:54322/postgres
NEXT_PUBLIC_SUPABASE_URL: http://127.0.0.1:54321
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ env.SUPABASE_LOCAL_ANON_KEY }}
SUPABASE_SERVICE_ROLE_KEY: ${{ env.SUPABASE_LOCAL_SERVICE_ROLE_KEY }}
run: npx tsx prisma/seed-e2e.ts
- name: Run E2E tests
env:
NEXT_PUBLIC_SUPABASE_URL: http://127.0.0.1:54321
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY: ${{ env.SUPABASE_LOCAL_ANON_KEY }}
SUPABASE_SERVICE_ROLE_KEY: ${{ env.SUPABASE_LOCAL_SERVICE_ROLE_KEY }}
DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:54322/postgres
PLAYWRIGHT_BASE_URL: http://localhost:3333
# Use npx directly, not npm run e2e: dotenv -e .env.test would override
# dynamic Supabase anon key with the static hardcoded key from .env.test.
run: npx playwright test
- name: Upload Playwright report
uses: actions/upload-artifact@v4
if: always()
with:
name: playwright-report
path: playwright-report/
retention-days: 7