xevion/banner
1
0
Fork 0
mirror of https://github.com/Xevion/banner.git synced 2026-01-31 10:23:39 -06:00
Code Issues Packages Projects Releases 1 Wiki Activity

ci: split quality checks into parallel jobs with security scanning

Browse Source 
Reorganize CI pipeline into separate jobs for Rust quality, frontend
quality, tests, Docker build, and security audits. Add cargo-audit,
bun audit, and Trivy filesystem scanning. Allow formatting checks to
pass with warnings on push events while failing on PRs.
This commit is contained in:
Xevion
2026-01-30 21:08:16 -06:00
parent acccaa54d4
commit 3494341e3f
2 changed files with 133 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
Vendored
+131 -27
View File
@@ -11,9 +11,9 @@ env:
RUST_BACKTRACE: 1 RUST_BACKTRACE: 1
jobs: jobs:
check: rust-quality:
name: Rust Quality
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -22,44 +22,148 @@ jobs:
with: with:
components: rustfmt, clippy components: rustfmt, clippy
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2
with:
cache-on-failure: true
- name: Check formatting
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
cargo fmt --all -- --check
else
cargo fmt --all -- --check || echo "::warning::Rust formatting issues found (not failing on push)"
fi
- name: Clippy
run: cargo clippy --all-features -- -D warnings
frontend-quality:
name: Frontend Quality
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Bun - name: Setup Bun
uses: oven-sh/setup-bun@v1 uses: oven-sh/setup-bun@v2
with: with:
bun-version: latest bun-version: latest
- name: Install dependencies
working-directory: web
run: bun install --frozen-lockfile
- name: Check formatting
working-directory: web
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
bun run format:check
else
bun run format:check || echo "::warning::Frontend formatting issues found (not failing on push)"
fi
- name: Lint
working-directory: web
run: bun run lint
- name: Type check
working-directory: web
run: bun run typecheck
rust-tests:
name: Rust Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache Rust dependencies - name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2 uses: Swatinem/rust-cache@v2
with: with:
cache-on-failure: true cache-on-failure: true
- name: Run tests
run: cargo test --all-features
frontend-tests:
name: Frontend Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
working-directory: web
run: bun install --frozen-lockfile
- name: Run tests
working-directory: web
run: bun run test
docker-build:
name: Docker Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image
uses: docker/build-push-action@v6
with:
context: .
push: false
cache-from: type=gha
cache-to: type=gha,mode=max
security:
name: Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Install cargo-audit
uses: taiki-e/install-action@cargo-audit
- name: Rust security audit
run: cargo audit
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install frontend dependencies - name: Install frontend dependencies
working-directory: web working-directory: web
run: bun install --frozen-lockfile run: bun install --frozen-lockfile
- name: Check Rust formatting - name: Frontend security audit
run: cargo fmt --all -- --check
- name: Check TypeScript formatting
working-directory: web working-directory: web
run: bun run format:check run: bun audit --audit-level=moderate
continue-on-error: true
- name: TypeScript type check - name: Trivy filesystem scan
working-directory: web uses: aquasecurity/trivy-action@master
run: bun run typecheck with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
exit-code: 0
- name: ESLint - name: Upload Trivy results
working-directory: web uses: github/codeql-action/upload-sarif@v3
run: bun run lint if: always()
with:
- name: Clippy sarif_file: trivy-results.sarif
run: cargo clippy --all-features -- --deny warnings
- name: Run tests
run: cargo test --all-features
- name: Build frontend
working-directory: web
run: bun run build
- name: Build backend
run: cargo build --release --bin banner
web/package.json
+2
View File
@@ -7,6 +7,8 @@
"build": "vite build", "build": "vite build",
"preview": "vite preview", "preview": "vite preview",
"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json", "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
"typecheck": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
"lint": "biome check .",
"test": "vitest run", "test": "vitest run",
"format": "biome format --write .", "format": "biome format --write .",
"format:check": "biome format ." "format:check": "biome format ."