fix(ingestion): parse npm/pnpm lockfiles natively, drop snyk-nodejs-l… #802
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm exec biome ci . | |
| typecheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - name: Build workspace .d.ts so cross-package types resolve | |
| # Skip @opencodehub/docs — its build runs astro + rehype-mermaid + | |
| # playwright (heavy headless-Chromium dep) and is exercised on the | |
| # dedicated `pages.yml` workflow with --with-deps installed. | |
| run: pnpm --filter '!@opencodehub/docs' -r build | |
| - run: pnpm --filter '!@opencodehub/docs' -r exec tsc --noEmit | |
| test: | |
| # Parsing is WASM-only on every supported Node version (ADR 0015), so the | |
| # test suite needs no native grammar build — `--ignore-scripts` is the | |
| # single install path across the matrix. The remaining native deps | |
| # (@duckdb/node-api, @ladybugdb/core, onnxruntime-node) ship prebuilds, so | |
| # storage/embedder tests pass without running postinstall. | |
| # | |
| # Build before test: every package's `test` runs `node --test` against its | |
| # built `dist/` (and the cli compiles `src` → `dist-test/`), so the dist | |
| # graph must exist first. Without this step a package's test glob silently | |
| # matches zero files and reports a vacuous pass. | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| node-version: [24] | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| MISE_NODE_VERSION: ${{ matrix.node-version }} | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| # Remove any stale build output before the incremental `tsc -b` build. | |
| # A `.test.ts` deleted in source leaves its compiled `dist/**/*.test.js` | |
| # behind, which `tsc -b` won't prune — `node --test` then runs the | |
| # orphan against an interface that no longer exports what it imports and | |
| # the suite fails on a test that does not exist in `src/`. Cheap on a | |
| # fresh checkout (no-op), load-bearing the moment `dist/` is cached. | |
| # `shell: bash` so `find` works on the windows-latest matrix leg too. | |
| - name: Remove stale build artifacts | |
| shell: bash | |
| run: | | |
| find packages -maxdepth 2 -name dist -type d -exec rm -rf {} + | |
| find packages -maxdepth 2 -name 'dist-test' -type d -exec rm -rf {} + | |
| find packages -maxdepth 2 -name '*.tsbuildinfo' -delete | |
| - run: pnpm --filter '!@opencodehub/docs' -r build | |
| - run: pnpm --filter '!@opencodehub/docs' -r test | |
| test-platform: | |
| # Platform / fixture lane (audit P1). Runs the SAME suite as `test` but with | |
| # the CODEHUB_PLATFORM gate ON, so the vendor/runtime/fixture cases that | |
| # self-skip in the required `test` lane execute here: vendored-WASM disk | |
| # checks, MCP ToolResult-shape smoke, and the HTTP-download + SHA256 + | |
| # chmod/exec-bit + atomic-rename mechanics of the scip/embedder downloaders. | |
| # | |
| # `continue-on-error: true` + NOT in branch-protection required checks = | |
| # informational. A Windows chmod/path/file-url quirk turns this job amber | |
| # without blocking a logic-correct PR or the release-please PR; the required | |
| # `test` job above carries the logic-regression signal alone (it runs the | |
| # identical command with the gate OFF). Same env-var `{ skip }` idiom as | |
| # packages/embedder/src/sagemaker-embedder.integration.test.ts. | |
| continue-on-error: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| node-version: [24] | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| MISE_NODE_VERSION: ${{ matrix.node-version }} | |
| CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| # Mirror the `test` lane: prune stale build output so a deleted-in-source | |
| # `dist/**/*.test.js` can't run against an interface it no longer matches. | |
| - name: Remove stale build artifacts | |
| shell: bash | |
| run: | | |
| find packages -maxdepth 2 -name dist -type d -exec rm -rf {} + | |
| find packages -maxdepth 2 -name 'dist-test' -type d -exec rm -rf {} + | |
| find packages -maxdepth 2 -name '*.tsbuildinfo' -delete | |
| - run: pnpm --filter '!@opencodehub/docs' -r build | |
| - run: pnpm --filter '!@opencodehub/docs' -r test | |
| sarif-validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm -F @opencodehub/sarif build | |
| - run: pnpm -F @opencodehub/sarif run validate-schema | |
| banned-strings: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - run: bash scripts/check-banned-strings.sh | |
| no-dist-cache: | |
| # Guardrail: fail if any workflow caches build output (dist/ or | |
| # *.tsbuildinfo). A cached dist/ resurrects stale compiled `*.test.js` | |
| # orphans (a .test.ts deleted in source) that fail the suite on a test | |
| # that no longer exists. Cache the pnpm store for speed — never dist/. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - run: bash scripts/check-no-dist-cache.sh | |
| licenses: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4 | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - name: license allowlist | |
| # Root is `private: true` with no runtime deps post-collapse; scan | |
| # packages/cli (the real third-party runtime deps) via `--start`. | |
| # license-checker-rseidelsohn v5 walks the tree via @npmcli/arborist | |
| # and reports raw SPDX expressions (e.g. "MIT OR Apache-2.0") instead | |
| # of normalizing to a single id, so the compound expressions below are | |
| # listed verbatim. Python-2.0 (argparse, via js-yaml) and CC-BY-3.0 | |
| # (spdx-exceptions data) are both OSI-approved permissive. Keep this | |
| # allowlist identical across ci.yml, pre-release-gate.yml, and | |
| # scripts/acceptance.sh. | |
| run: > | |
| pnpm exec license-checker-rseidelsohn | |
| --start packages/cli | |
| --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD;Python-2.0;CC-BY-3.0;MIT OR Apache-2.0;(Apache-2.0 AND MIT);(BSD-3-Clause AND Apache-2.0);(BSD-2-Clause OR MIT OR Apache-2.0);(MIT OR CC0-1.0)' | |
| --excludePrivatePackages | |
| --production | |
| # GitHub code-scanning advanced-setup is configured to look for an `osv` | |
| # job in `ci.yml`. The standalone `osv.yml` workflow does the same scan, | |
| # but the configured pointer lives here, so we mirror it: install | |
| # osv-scanner, emit SARIF, upload to code-scanning, then fail the run on | |
| # vulnerabilities. The standalone workflow remains for the weekly cron. | |
| osv: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Install osv-scanner | |
| run: | | |
| curl -sL -o /tmp/osv-scanner \ | |
| https://github.com/google/osv-scanner/releases/download/v2.3.8/osv-scanner_linux_amd64 | |
| chmod +x /tmp/osv-scanner | |
| - name: Scan pnpm-lock.yaml (SARIF output) | |
| run: | | |
| /tmp/osv-scanner scan source \ | |
| --lockfile=pnpm-lock.yaml \ | |
| --format=sarif \ | |
| --output=osv.sarif || true | |
| - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 | |
| if: always() | |
| with: | |
| sarif_file: osv.sarif | |
| category: osv-scanner | |
| - name: Fail on vulnerabilities | |
| run: /tmp/osv-scanner scan source --lockfile=pnpm-lock.yaml |