rack-gateway/.github/workflows/ci.yml at main · DocSpring/rack-gateway · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  go-tests:
    runs-on: ubuntu-latest
    env:
      DATABASE_URL: postgres://postgres:postgres@localhost:55432/gateway_test?sslmode=disable
      TEST_DATABASE_URL: postgres://postgres:postgres@localhost:55432/gateway_test?sslmode=disable
      GOLANGCI_LINT_VERSION: v2.11.1
    steps:
      - uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.26.1"

      - name: Install libfido2 dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libfido2-dev libudev-dev pkg-config

      - name: Install Task
        run: |
          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
          task --version

      - name: Go deps
        run: task go:deps

      - name: Install Convox CLI
        run: |
          set -euo pipefail
          ARCH=$(uname -m)
          URL="https://github.com/convox/convox/releases/latest/download/convox-linux"
          if [ "$ARCH" = "aarch64" ] || [ "$ARCH" = "arm64" ]; then
            URL="https://github.com/convox/convox/releases/latest/download/convox-linux-arm64"
          fi
          curl -fsSL "$URL" -o /tmp/convox
          sudo mv /tmp/convox /usr/local/bin/convox
          sudo chmod 755 /usr/local/bin/convox
          convox version || true

      - name: Install Go tools
        run: task go:tools

      - name: Go tests
        run: task go:test

  lint:
    runs-on: ubuntu-latest
    env:
      GOLANGCI_LINT_VERSION: v2.11.1
    steps:
      - uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.26.1"

      - name: Cache golangci-lint cache
        uses: actions/cache@v4
        with:
          path: |
            ~/.cache/golangci-lint
          key: golangci-${{ runner.os }}-${{ hashFiles('**/go.sum') }}

      - name: Install libfido2 dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libfido2-dev libudev-dev pkg-config

      - name: Install Task
        run: |
          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
          task --version

      - name: Install golangci-lint
        run: |
          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh \
            | sudo sh -s -- -b /usr/local/bin "${GOLANGCI_LINT_VERSION}"
          golangci-lint version

      - name: Go deps (lint warmup)
        run: task go:deps

      - name: Verify golangci-lint config
        run: task go:lint:config

      - name: golangci-lint
        uses: golangci/golangci-lint-action@v8
        with:
          version: ${{ env.GOLANGCI_LINT_VERSION }}
        env:
          CGO_ENABLED: 1

      - name: Install jscpd for duplication checking
        run: npm install -g jscpd

      - name: Check code duplication
        run: task duplication

      - name: Check file length limits
        run: task file-length

      - name: Install shellcheck
        run: sudo apt-get install -y shellcheck

      - name: Shellcheck
        run: task shellcheck

      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Check for vulnerabilities
        run: task go:sec:vuln

      - name: Install TruffleHog
        run: |
          curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin

      - name: Scan for secrets
        run: task go:sec:secrets

  web-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.3.1"

      - name: Install NPM packages
        working-directory: web
        run: |
          bun install --frozen-lockfile

      - name: Install Task
        run: |
          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
          task --version

      - name: Web lint (Typecheck, Biome, and knip)
        run: task web:lint

      - name: Check for biome-ignore comments (zero tolerance)
        run: task web:check-ignores

      - name: Web tests
        run: task web:test

  mock-oauth-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.3.1"

      - name: Install Task
        run: |
          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
          task --version

      - name: Mock OAuth lint (Typecheck and Biome)
        run: task mock-oauth:lint

      - name: Mock OAuth tests
        run: task mock-oauth:test