some actions improvements

bristermitten · bristermitten · commit 26a957f9b486 · 2025-08-24T21:26:50.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    allow:
+      - dependency-type: "direct"
+    commit-message:
+      prefix: "deps(npm)"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps(docker)"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,40 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+  schedule:
+    - cron: "33 5 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript"
diff --git a/.github/workflows/docker-check.yml b/.github/workflows/docker-check.yml
@@ -0,0 +1,44 @@
+name: Docker Check
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dockerfile-lint:
+    name: Lint Dockerfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          files: Dockerfile
+
+  build:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    needs: dockerfile-lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build
+        uses: docker/build-push-action@v6.7.0
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          load: true
+          tags: devdenbot:ci
+          provenance: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,43 +1,194 @@
-name: Lint
+name: Lint and Test
 
 on:
   push:
     branches: ["master"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "logs/**"
+      - "result/**"
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: ["master"]
+    paths-ignore:
+      - "**/*.md"
+      - "docs/**"
+      - "logs/**"
+      - "result/**"
   schedule:
     - cron: "29 4 * * 1"
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  eslint:
-    name: Run eslint scanning
+  deps:
+    name: Prepare dependencies
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
-      - name: Add gyp dependencies
+      - name: Add system libs for native modules
         run: sudo apt update && sudo apt install -y build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev
-
-      - name: Install ESLint
+      - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
-
-      - name: Run install
+      - name: Cache Bun package downloads
+        id: bun-cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.bun/install/cache
+          key: ${{ runner.os }}-bun-cache-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-bun-cache-
+      - name: Cache node_modules
+        id: node-modules-cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            node_modules
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-node-modules-
+      - name: Install dependencies
         run: bun install --frozen-lockfile
+      - name: Upload node_modules artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
+          if-no-files-found: warn
 
+  lint:
+    name: Lint
+    needs: deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Download node_modules artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
       - name: Run ESLint
         run: bunx eslint . --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif
-        continue-on-error: true
-
       - name: Upload analysis results to GitHub
+        if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: eslint-results.sarif
           wait-for-processing: true
+
+  format:
+    name: Prettier Format Check
+    needs: deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Download node_modules artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
+      - name: Check formatting
+        run: bunx prettier --check .
+
+  typecheck:
+    name: Type Check
+    needs: deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Download node_modules artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
+      - name: Run TypeScript type check
+        run: bunx tsc --noEmit -p tsconfig.json
+
+  build:
+    name: Build
+    needs: deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Download node_modules artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
+      - name: Build TypeScript
+        run: bun run build
+      - name: Upload build artifact (bin)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-bin-${{ github.sha }}
+          path: bin
+          if-no-files-found: ignore
+
+  test:
+    name: Unit Tests
+    needs: deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Add system libs for native modules (runtime)
+        run: sudo apt update && sudo apt install -y libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Download node_modules artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: node-modules-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          path: node_modules
+      - name: Run Unit Tests with coverage
+        run: bun test --coverage
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ runner.os }}-${{ github.run_id }}
+          path: |
+            coverage
+          if-no-files-found: ignore
diff --git a/.github/workflows/sentry.yml b/.github/workflows/sentry.yml
