Find/.github/workflows/ci.yml at main · Muskan-S123/Find · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: CI

# Trigger matrix (which paths wake which jobs):
#
#   Path pattern                    | frontend-check | backend-check | compose-check
#   --------------------------------|----------------|---------------|--------------
#   frontend/**                     |      yes       |      no       |      no
#   backend/**                      |      no        |      yes      |      no
#   .github/workflows/**            |      yes       |      yes      |      yes
#   docker-compose*.yml             |      yes       |      yes      |      yes
#   root/shared non-doc config      |      yes       |      yes      |      no
#   docs/**, *.md, ISSUE_TEMPLATE   |      no        |      no       |      no

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

jobs:
  detect-changes:
    runs-on: ubuntu-latest
    outputs:
      frontend: ${{ steps.filter.outputs.frontend }}
      backend: ${{ steps.filter.outputs.backend }}
      shared: ${{ steps.filter.outputs.shared }}
      uncategorized: ${{ steps.uncategorized.outputs.uncategorized }}
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
        with:
          persist-credentials: false

      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
        id: filter
        with:
          filters: |
            frontend:
              - 'frontend/**'
            backend:
              - 'backend/**'
            shared:
              - '.github/workflows/**'
              - 'docker-compose*.yml'

      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
        id: uncategorized
        with:
          predicate-quantifier: every
          filters: |
            uncategorized:
              - '**'
              - '!frontend/**'
              - '!backend/**'
              - '!.github/workflows/**'
              - '!docker-compose*.yml'
              - '!docs/**'
              - '!**/*.md'
              - '!LICENSE'
              - '!CODE_OF_CONDUCT.md'
              - '!CONTRIBUTING.md'
              - '!GSSOC_CONTRIBUTOR_GUIDE.md'
              - '!.github/ISSUE_TEMPLATE/**'

  frontend-check:
    needs: detect-changes
    if: needs.detect-changes.outputs.frontend == 'true' || needs.detect-changes.outputs.shared == 'true' || needs.detect-changes.outputs.uncategorized == 'true'
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./frontend
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
        with:
          persist-credentials: false

      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d
        with:
          version: 10.16.0

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: 22
          cache: "pnpm"
          cache-dependency-path: frontend/pnpm-lock.yaml

      - run: pnpm install

      # Report high/critical vulnerabilities for maintainer review.
      - run: pnpm audit --audit-level=high || true

      # Type-check, lint, format all in one pass (Biome handles lint + format)
      - run: pnpm check

      # Ensure the production bundle actually builds — catches tree-shake bugs, type errors
      - run: pnpm build

  backend-check:
    needs: detect-changes
    if: needs.detect-changes.outputs.backend == 'true' || needs.detect-changes.outputs.shared == 'true' || needs.detect-changes.outputs.uncategorized == 'true'
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./backend
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
        with:
          persist-credentials: false

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.12"

      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78

      # Lock dependencies deterministically (uv.lock is our source of truth)
      - run: uv sync --group dev --locked

      # Report known vulnerabilities from the locked backend dependency set.
      # --desc adds advisory details for maintainer review.
      - run: uv run pip-audit --desc || true

      # Catch type errors and obvious mistakes (before runtime surprises)
      - run: uv run ruff check .

      # Enforce consistent style — don't waste review time on whitespace
      - run: uv run ruff format --check .

      # Smoke-import the FastAPI app to catch broken imports or bad config before runtime.
      - name: Backend import smoke check
        run: ML_MODE=mock uv run python -c "from find_api.main import app; print('smoke OK:', app.title)"

  compose-check:
    needs: detect-changes
    if: needs.detect-changes.outputs.shared == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
        with:
          persist-credentials: false

      - name: Validate docker-compose.yml
        run: docker compose config --quiet

      - name: Validate docker-compose.light.yml
        run: docker compose -f docker-compose.light.yml config --quiet