name: CI on: pull_request: branches: [main] paths: - 'src/**' - 'tests/**' - 'package.json' - 'pnpm-lock.yaml' - 'tsconfig.json' - 'vitest.config*.ts' - 'drizzle/**' - 'drizzle.config.ts' - '.github/workflows/ci.yml' - '.github/actions/**' push: branches: [main] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: contents: read jobs: lint: name: Lint runs-on: ubuntu-latest timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - run: pnpm lint typecheck: name: Type Check runs-on: ubuntu-latest timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - run: pnpm typecheck test: name: Unit Tests (${{ matrix.shard }}/3) runs-on: ubuntu-latest timeout-minutes: 15 needs: [lint, typecheck] strategy: fail-fast: false matrix: shard: [1, 2, 3] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - run: pnpm vitest run --shard=${{ matrix.shard }}/3 test-integration: name: Integration Tests runs-on: ubuntu-latest timeout-minutes: 30 needs: [test] services: postgres: image: pgvector/pgvector:pg16 env: POSTGRES_USER: barazo POSTGRES_PASSWORD: barazo_dev POSTGRES_DB: barazo ports: - 5432:5432 options: >- --health-cmd "pg_isready -U barazo" --health-interval 10s --health-timeout 5s --health-retries 5 valkey: image: valkey/valkey:8-alpine ports: - 6379:6379 options: >- --health-cmd "valkey-cli ping" --health-interval 10s --health-timeout 5s --health-retries 3 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - run: pnpm db:migrate env: DATABASE_URL: postgresql://barazo:barazo_dev@localhost:5432/barazo - run: pnpm test:integration env: DATABASE_URL: postgresql://barazo:barazo_dev@localhost:5432/barazo VALKEY_URL: redis://localhost:6379 TAP_URL: http://localhost:2480 TAP_ADMIN_PASSWORD: tap_dev_secret build: name: Build runs-on: ubuntu-latest timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - run: pnpm build schema-check: name: Schema Drift Check runs-on: ubuntu-latest timeout-minutes: 10 needs: [lint] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - name: Check for uncommitted schema changes run: | pnpm db:generate --name=ci-check if [ -n "$(git status --porcelain drizzle/)" ]; then echo "::error::Schema changes detected but no migration committed." echo "Run 'pnpm db:generate' locally and commit the result." git diff drizzle/ exit 1 fi echo "Schema is in sync with migrations." security: name: Security Scan runs-on: ubuntu-latest timeout-minutes: 10 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./.github/actions/setup - name: Security audit with retry run: | for attempt in 1 2 3; do output=$(pnpm audit --audit-level=high --prod 2>&1) && { echo "$output"; exit 0; } if echo "$output" | grep -q "ERR_PNPM_AUDIT_BAD_RESPONSE\|ECONNREFUSED\|ETIMEDOUT\|EAI_AGAIN"; then echo "::warning::Audit registry unavailable (attempt $attempt/3), retrying in 15s..." sleep 15 else echo "$output" exit 1 fi done echo "::warning::Audit registry unavailable after 3 attempts, skipping"