Skip to content

fix(ingestion): parse npm/pnpm lockfiles natively, drop snyk-nodejs-l… #802

fix(ingestion): parse npm/pnpm lockfiles natively, drop snyk-nodejs-l…

fix(ingestion): parse npm/pnpm lockfiles natively, drop snyk-nodejs-l… #802

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm exec biome ci .
typecheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: Build workspace .d.ts so cross-package types resolve
# Skip @opencodehub/docs — its build runs astro + rehype-mermaid +
# playwright (heavy headless-Chromium dep) and is exercised on the
# dedicated `pages.yml` workflow with --with-deps installed.
run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r exec tsc --noEmit
test:
# Parsing is WASM-only on every supported Node version (ADR 0015), so the
# test suite needs no native grammar build — `--ignore-scripts` is the
# single install path across the matrix. The remaining native deps
# (@duckdb/node-api, @ladybugdb/core, onnxruntime-node) ship prebuilds, so
# storage/embedder tests pass without running postinstall.
#
# Build before test: every package's `test` runs `node --test` against its
# built `dist/` (and the cli compiles `src` → `dist-test/`), so the dist
# graph must exist first. Without this step a package's test glob silently
# matches zero files and reports a vacuous pass.
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node-version: [24]
runs-on: ${{ matrix.os }}
env:
MISE_NODE_VERSION: ${{ matrix.node-version }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
# Remove any stale build output before the incremental `tsc -b` build.
# A `.test.ts` deleted in source leaves its compiled `dist/**/*.test.js`
# behind, which `tsc -b` won't prune — `node --test` then runs the
# orphan against an interface that no longer exports what it imports and
# the suite fails on a test that does not exist in `src/`. Cheap on a
# fresh checkout (no-op), load-bearing the moment `dist/` is cached.
# `shell: bash` so `find` works on the windows-latest matrix leg too.
- name: Remove stale build artifacts
shell: bash
run: |
find packages -maxdepth 2 -name dist -type d -exec rm -rf {} +
find packages -maxdepth 2 -name 'dist-test' -type d -exec rm -rf {} +
find packages -maxdepth 2 -name '*.tsbuildinfo' -delete
- run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r test
test-platform:
# Platform / fixture lane (audit P1). Runs the SAME suite as `test` but with
# the CODEHUB_PLATFORM gate ON, so the vendor/runtime/fixture cases that
# self-skip in the required `test` lane execute here: vendored-WASM disk
# checks, MCP ToolResult-shape smoke, and the HTTP-download + SHA256 +
# chmod/exec-bit + atomic-rename mechanics of the scip/embedder downloaders.
#
# `continue-on-error: true` + NOT in branch-protection required checks =
# informational. A Windows chmod/path/file-url quirk turns this job amber
# without blocking a logic-correct PR or the release-please PR; the required
# `test` job above carries the logic-regression signal alone (it runs the
# identical command with the gate OFF). Same env-var `{ skip }` idiom as
# packages/embedder/src/sagemaker-embedder.integration.test.ts.
continue-on-error: true
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node-version: [24]
runs-on: ${{ matrix.os }}
env:
MISE_NODE_VERSION: ${{ matrix.node-version }}
CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
# Mirror the `test` lane: prune stale build output so a deleted-in-source
# `dist/**/*.test.js` can't run against an interface it no longer matches.
- name: Remove stale build artifacts
shell: bash
run: |
find packages -maxdepth 2 -name dist -type d -exec rm -rf {} +
find packages -maxdepth 2 -name 'dist-test' -type d -exec rm -rf {} +
find packages -maxdepth 2 -name '*.tsbuildinfo' -delete
- run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r test
sarif-validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm -F @opencodehub/sarif build
- run: pnpm -F @opencodehub/sarif run validate-schema
banned-strings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- run: bash scripts/check-banned-strings.sh
no-dist-cache:
# Guardrail: fail if any workflow caches build output (dist/ or
# *.tsbuildinfo). A cached dist/ resurrects stale compiled `*.test.js`
# orphans (a .test.ts deleted in source) that fail the suite on a test
# that no longer exists. Cache the pnpm store for speed — never dist/.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- run: bash scripts/check-no-dist-cache.sh
licenses:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: license allowlist
# Root is `private: true` with no runtime deps post-collapse; scan
# packages/cli (the real third-party runtime deps) via `--start`.
# license-checker-rseidelsohn v5 walks the tree via @npmcli/arborist
# and reports raw SPDX expressions (e.g. "MIT OR Apache-2.0") instead
# of normalizing to a single id, so the compound expressions below are
# listed verbatim. Python-2.0 (argparse, via js-yaml) and CC-BY-3.0
# (spdx-exceptions data) are both OSI-approved permissive. Keep this
# allowlist identical across ci.yml, pre-release-gate.yml, and
# scripts/acceptance.sh.
run: >
pnpm exec license-checker-rseidelsohn
--start packages/cli
--onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD;Python-2.0;CC-BY-3.0;MIT OR Apache-2.0;(Apache-2.0 AND MIT);(BSD-3-Clause AND Apache-2.0);(BSD-2-Clause OR MIT OR Apache-2.0);(MIT OR CC0-1.0)'
--excludePrivatePackages
--production
# GitHub code-scanning advanced-setup is configured to look for an `osv`
# job in `ci.yml`. The standalone `osv.yml` workflow does the same scan,
# but the configured pointer lives here, so we mirror it: install
# osv-scanner, emit SARIF, upload to code-scanning, then fail the run on
# vulnerabilities. The standalone workflow remains for the weekly cron.
osv:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install osv-scanner
run: |
curl -sL -o /tmp/osv-scanner \
https://github.com/google/osv-scanner/releases/download/v2.3.8/osv-scanner_linux_amd64
chmod +x /tmp/osv-scanner
- name: Scan pnpm-lock.yaml (SARIF output)
run: |
/tmp/osv-scanner scan source \
--lockfile=pnpm-lock.yaml \
--format=sarif \
--output=osv.sarif || true
- uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
if: always()
with:
sarif_file: osv.sarif
category: osv-scanner
- name: Fail on vulnerabilities
run: /tmp/osv-scanner scan source --lockfile=pnpm-lock.yaml