-
Notifications
You must be signed in to change notification settings - Fork 0
111 lines (93 loc) · 3.33 KB
/
Copy pathcli-ci.yml
File metadata and controls
111 lines (93 loc) · 3.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: CLI CI
on:
push:
branches: [ dev ]
pull_request:
branches: [ dev ]
workflow_dispatch:
permissions:
contents: read
jobs:
secret-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout (full history)
uses: actions/checkout@v5
with:
# Full history so gitleaks scans every commit, not just the tip.
fetch-depth: 0
- name: Run gitleaks
env:
# Pinned release; bump deliberately. Run the binary directly rather than
# gitleaks/gitleaks-action@v2, which requires a paid GITLEAKS_LICENSE for
# organization-owned repos.
GITLEAKS_VERSION: 8.30.1
run: |
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar -xz gitleaks
./gitleaks git . --redact --verbose --no-banner
lint-and-test:
runs-on: ubuntu-latest
# The mock-api lives in the private moropo-com/dcd repo, checked out via an
# SSH deploy key. GitHub does NOT expose secrets to pull_request workflows
# triggered from forks, so that checkout (and the integration tests that need
# it) can only run for same-repo events. Fork PRs still run lint/typecheck/build.
env:
HAS_PRIVATE_ACCESS: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
steps:
- name: Checkout CLI
uses: actions/checkout@v5
with:
path: cli
- name: Checkout dcd (mock-api)
if: env.HAS_PRIVATE_ACCESS == 'true'
uses: actions/checkout@v5
with:
repository: moropo-com/dcd
path: dcd
ssh-key: ${{ secrets.DCD_SSH_DEPLOY_KEY }}
# api/swagger.json is a file, which cone-mode sparse checkout rejects
# as of git 2.51 ("is not a directory") — use non-cone patterns.
sparse-checkout-cone-mode: false
sparse-checkout: |
/mock-api/
/api/swagger.json
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10
run_install: false
- name: Setup Node.js
uses: actions/setup-node@v5
with:
node-version: '22'
cache: 'pnpm'
cache-dependency-path: './cli/pnpm-lock.yaml'
- name: Install CLI dependencies
working-directory: ./cli
run: pnpm install --frozen-lockfile
- name: Install Mock API dependencies
if: env.HAS_PRIVATE_ACCESS == 'true'
working-directory: ./dcd/mock-api
run: pnpm install --frozen-lockfile
- name: Run CLI linter
working-directory: ./cli
run: pnpm lint
- name: Type check (strict, src + tests)
working-directory: ./cli
run: pnpm typecheck
- name: Run CLI tests
if: env.HAS_PRIVATE_ACCESS == 'true'
working-directory: ./cli
env:
MOCK_API_DIR: ${{ github.workspace }}/dcd/mock-api
run: pnpm test
- name: Skip integration tests (fork PR — no mock-api access)
if: env.HAS_PRIVATE_ACCESS != 'true'
run: echo "::notice::Integration tests skipped — the mock-api (private moropo-com/dcd) is not accessible from fork PRs. Lint, typecheck, and build still ran."
- name: Build CLI
working-directory: ./cli
run: pnpm build
- name: Security audit
working-directory: ./cli
run: pnpm audit --audit-level moderate