-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (123 loc) · 3.75 KB
/
ci.yml
File metadata and controls
151 lines (123 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: CI
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
jobs:
check:
name: Lint, Type-check & Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Download fonts
run: bun run fonts:download
- name: Lint
run: bun run lint
- name: Type-check
run: bun run type-check
- name: Test
run: bun run test
env:
AUTH_ENABLED: "false"
publish-sdk:
name: Publish SDK to GitHub Packages
runs-on: ubuntu-latest
needs: check
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
permissions:
contents: read
packages: write
defaults:
run:
working-directory: sdk
steps:
- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://npm.pkg.github.com
scope: '@atypical-consulting'
- name: Install dependencies
run: bun install
- name: Build SDK
run: bun run build
- name: Check if version is already published
id: version-check
run: |
PACKAGE_NAME=$(node -p "require('./package.json').name")
PACKAGE_VERSION=$(node -p "require('./package.json').version")
if npm view "${PACKAGE_NAME}@${PACKAGE_VERSION}" version 2>/dev/null; then
echo "published=true" >> "$GITHUB_OUTPUT"
echo "Version ${PACKAGE_VERSION} already published — skipping"
else
echo "published=false" >> "$GITHUB_OUTPUT"
echo "Version ${PACKAGE_VERSION} not yet published — will publish"
fi
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish to GitHub Packages
if: steps.version-check.outputs.published == 'false'
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
scan:
name: Security Scan (Trivy + SARIF)
runs-on: ubuntu-latest
needs: check
permissions:
security-events: write
steps:
- uses: actions/checkout@v6
- name: Build Docker image for scanning
run: docker build -t og-engine:scan .
- name: Scan image for vulnerabilities (table)
uses: aquasecurity/trivy-action@master
with:
image-ref: og-engine:scan
format: table
exit-code: '1'
severity: CRITICAL,HIGH
output: vuln-report.txt
continue-on-error: true
- name: Generate SARIF report
uses: aquasecurity/trivy-action@master
if: always()
with:
image-ref: og-engine:scan
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-results.sarif
category: trivy
- name: Upload scan report
uses: actions/upload-artifact@v7
if: always()
with:
name: security-scan-report
path: vuln-report.txt
retention-days: 30
deploy:
name: Deploy to Fly.io
runs-on: ubuntu-latest
needs: check
if: github.ref == 'refs/heads/dev' && github.event_name == 'push'
steps:
- uses: actions/checkout@v6
- uses: superfly/flyctl-actions/setup-flyctl@master
- name: Deploy to Fly.io
run: flyctl deploy --remote-only
env:
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}