ci: add Trivy, Gitleaks, and cross-platform unit tests

SebTardif · SebTardif · commit 8781809cba0a · 2026-05-29T04:32:20.000-07:00
Add Trivy filesystem scan and Gitleaks secret detection to the security workflow using the self-hosted runner where both tools are natively installed. Docker is not required for Trivy fs mode. Add a cross-platform unit test matrix (ubuntu-latest, windows-latest) to CI. Unit tests use node:test with no VS Code dependency, so they run on any platform. The existing self-hosted macOS job remains as the baseline. Closes #44 Closes #25 Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,6 +36,29 @@ jobs:
       - name: Run tests
         run: npm test
 
+  unit-test-cross-platform:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
   build:
     runs-on:
       - self-hosted
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -39,3 +39,44 @@ jobs:
 
       - name: Audit production dependencies
         run: npm audit --audit-level=high --omit=dev
+
+  trivy:
+    name: Trivy vulnerability scan
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Trivy filesystem scan
+        run: trivy fs --scanners vuln,misconfig --severity HIGH,CRITICAL --exit-code 1 .
+
+  gitleaks:
+    name: Gitleaks secret detection
+    runs-on:
+      - self-hosted
+      - macOS
+      - ARM64
+      - patchloom-vscode
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        run: gitleaks detect --source . --verbose
