Commit 9fd96f8
chore(ci): add GitHub Actions workflow — typecheck + tests + npm audit
Remediates HD-4 from the 2026-04-10 audit
(docs/audits/mcp-gateway-2026-04-10.md in Stackbilt-dev/codebeast):
the public OAuth entry-point worker had zero CI, and that gap let
6 pre-existing test failures sit unnoticed for an unknown duration
(stale PUBLIC_SIGNUPS_ENABLED assertion in oauth-handler.test.ts).
Those drifting tests directly contributed to the audit's severity
miscalculation on H-1 until the critical-chain fix pass caught it.
CI job runs on every PR and every push to main:
1. Checkout + Node 20 with npm cache
2. npm ci (clean install from lockfile)
3. npm run typecheck (tsc --noEmit, strict mode enforced)
4. npm test (vitest run — currently 120 tests across 6 files)
5. npm audit --audit-level=high (advisory gate, continue-on-error
for now so dep churn doesn't block merges; elevate to blocking
once baseline is clean)
Not included (deliberate scope):
- Deploy gate (separate concern, belongs in a deploy workflow)
- Branch protection enforcement (configure via repo settings)
- Lint step (no ESLint config present in this repo yet)
Follow-up: once this workflow runs green on main, enable branch
protection for main requiring the "typecheck + test + audit" check
to pass before merge. That turns CI from advisory to enforcing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 256ba06 commit 9fd96f8
1 file changed
+34
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
0 commit comments