Skip to content
This repository was archived by the owner on May 25, 2026. It is now read-only.
CI

Replace esbuild with tools-rolldown, add release files #7

Sign in to view logs

Replace esbuild with tools-rolldown, add release files

Replace esbuild with tools-rolldown, add release files #7

Workflow file for this run

.github/workflows/ci.yml at 9c940c4
name: CI
on:
pull_request:
branches: [main]
# Allow reuse from release workflow
workflow_call:
concurrency:
group: ci-${{ github.head_ref || github.ref }}
cancel-in-progress: true
permissions:
contents: read
security-events: write
jobs:
lint:
name: Lint & Format
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
with:
bun-version: latest
- run: bun install --frozen-lockfile
- run: bunx biome check .
typecheck:
name: Typecheck
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
with:
bun-version: latest
- run: bun install --frozen-lockfile
- run: bun run typecheck
test:
name: Test & Coverage
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
with:
bun-version: latest
- run: bun install --frozen-lockfile
- run: bun run test -- --coverage
- name: Upload coverage
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: coverage-report
path: coverage/
retention-days: 7
build:
name: Build
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
with:
bun-version: latest
- run: bun install --frozen-lockfile
- run: bun run build
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: extension-dist
path: dist/
retention-days: 7
secrets-scan:
name: Secrets Scan
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
- uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
with:
extra_args: --only-verified
audit:
name: Security Audit
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
with:
bun-version: latest
- run: bun install --frozen-lockfile
- name: Audit dependencies
# Transitive devDependency vulnerabilities (not shipped) may cause failures
run: bun audit --audit-level=critical
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
timeout-minutes: 5
if: github.event_name == 'pull_request'
# Requires Dependency graph + GitHub Advanced Security enabled in repo settings
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Review dependency changes
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
with:
fail-on-severity: high
deny-licenses: GPL-3.0, AGPL-3.0
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 10
# Requires Code scanning enabled in repo Security settings
continue-on-error: true
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Initialize CodeQL
uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
with:
languages: javascript-typescript
queries: security-and-quality
- name: Run CodeQL analysis
uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
with:
category: /language:javascript-typescript