-
Notifications
You must be signed in to change notification settings - Fork 0
119 lines (99 loc) · 3.58 KB
/
ci.yml
File metadata and controls
119 lines (99 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
###############################################################################
# CrowByte — Continuous Integration
#
# Triggers: every push + pull request
# Validates: TypeScript types, lint, unit tests, web build, electron build
# Security: ensures service key never leaks into web bundle
###############################################################################
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
validate:
runs-on: ubuntu-latest
name: Lint, Type-check, Test & Build
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: apps/desktop/package.json
- name: Install dependencies
working-directory: apps/desktop
run: npm install --legacy-peer-deps
- name: Type-check
working-directory: apps/desktop
run: npx tsc --noEmit
- name: Lint
working-directory: apps/desktop
run: npx eslint . --max-warnings=150
- name: Unit tests
working-directory: apps/desktop
run: npm test || true
- name: Build (web)
working-directory: apps/desktop
run: npm run build:web
env:
VITE_BUILD_TARGET: web
- name: Build (electron)
working-directory: apps/desktop
run: npm run build:vite
env:
VITE_BUILD_TARGET: electron
# Security audit — service key must NEVER appear in web bundle
- name: Audit web bundle for secrets
working-directory: apps/desktop
run: |
if grep -r "service_role" dist/web/; then
echo "::error::CRITICAL — Supabase service key found in web bundle!"
exit 1
fi
echo "No service key in web bundle — PASS"
- name: Dependency audit
working-directory: apps/desktop
run: npm audit --audit-level=critical || true
smoke:
name: Smoke Tests (Playwright)
runs-on: ubuntu-latest
needs: validate
# Only run smoke tests on pushes to main (not PRs — avoids test account exposure)
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: apps/desktop/package.json
- name: Install dependencies
working-directory: apps/desktop
run: npm install --legacy-peer-deps
- name: Install Chrome
run: |
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" | sudo tee /etc/apt/sources.list.d/google-chrome.list
sudo apt-get update -qq && sudo apt-get install -y google-chrome-stable
google-chrome --version
- name: Run smoke tests against production
working-directory: apps/desktop
env:
E2E_BASE_URL: https://crowbyte.io
E2E_TEST_EMAIL: ${{ secrets.E2E_TEST_EMAIL }}
E2E_TEST_PASS: ${{ secrets.E2E_TEST_PASS }}
CHROME_PATH: /usr/bin/google-chrome
run: npx playwright test e2e/smoke.spec.ts --reporter=github
- name: Upload failure screenshots
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-screenshots
path: apps/desktop/test-results/
retention-days: 7