-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (140 loc) · 6.22 KB
/
ci.yml
File metadata and controls
151 lines (140 loc) · 6.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm exec biome ci .
typecheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: Build workspace .d.ts so cross-package types resolve
# Skip @opencodehub/docs — its build runs astro + rehype-mermaid +
# playwright (heavy headless-Chromium dep) and is exercised on the
# dedicated `pages.yml` workflow with --with-deps installed.
run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r exec tsc --noEmit
test:
# Parsing is WASM-only on every supported Node version (ADR 0015), so the
# test suite needs no native grammar build — `--ignore-scripts` is the
# single install path across the matrix. The remaining native deps
# (@duckdb/node-api, @ladybugdb/core, onnxruntime-node) ship prebuilds, so
# storage/embedder tests pass without running postinstall.
#
# Build before test: every package's `test` runs `node --test` against its
# built `dist/` (and the cli compiles `src` → `dist-test/`), so the dist
# graph must exist first. Without this step a package's test glob silently
# matches zero files and reports a vacuous pass.
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node-version: [22, 24]
runs-on: ${{ matrix.os }}
env:
MISE_NODE_VERSION: ${{ matrix.node-version }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r test
test-platform:
# Platform / fixture lane (audit P1). Runs the SAME suite as `test` but with
# the CODEHUB_PLATFORM gate ON, so the vendor/runtime/fixture cases that
# self-skip in the required `test` lane execute here: vendored-WASM disk
# checks, MCP ToolResult-shape smoke, and the HTTP-download + SHA256 +
# chmod/exec-bit + atomic-rename mechanics of the scip/embedder downloaders.
#
# `continue-on-error: true` + NOT in branch-protection required checks =
# informational. A Windows chmod/path/file-url quirk turns this job amber
# without blocking a logic-correct PR or the release-please PR; the required
# `test` job above carries the logic-regression signal alone (it runs the
# identical command with the gate OFF). Same env-var `{ skip }` idiom as
# packages/embedder/src/sagemaker-embedder.integration.test.ts.
continue-on-error: true
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node-version: [22]
runs-on: ${{ matrix.os }}
env:
MISE_NODE_VERSION: ${{ matrix.node-version }}
CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter '!@opencodehub/docs' -r build
- run: pnpm --filter '!@opencodehub/docs' -r test
sarif-validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm -F @opencodehub/sarif build
- run: pnpm -F @opencodehub/sarif run validate-schema
banned-strings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- run: bash scripts/check-banned-strings.sh
licenses:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: pnpm install --frozen-lockfile --ignore-scripts
- name: license allowlist
run: >
pnpm exec license-checker-rseidelsohn
--onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD'
--excludePrivatePackages
--production
# GitHub code-scanning advanced-setup is configured to look for an `osv`
# job in `ci.yml`. The standalone `osv.yml` workflow does the same scan,
# but the configured pointer lives here, so we mirror it: install
# osv-scanner, emit SARIF, upload to code-scanning, then fail the run on
# vulnerabilities. The standalone workflow remains for the weekly cron.
osv:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Install osv-scanner
run: |
curl -sL -o /tmp/osv-scanner \
https://github.com/google/osv-scanner/releases/download/v2.3.8/osv-scanner_linux_amd64
chmod +x /tmp/osv-scanner
- name: Scan pnpm-lock.yaml (SARIF output)
run: |
/tmp/osv-scanner scan source \
--lockfile=pnpm-lock.yaml \
--format=sarif \
--output=osv.sarif || true
- uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
if: always()
with:
sarif_file: osv.sarif
category: osv-scanner
- name: Fail on vulnerabilities
run: /tmp/osv-scanner scan source --lockfile=pnpm-lock.yaml