ci: split quality checks into parallel jobs with security scanning

Reorganize CI pipeline into separate jobs for Rust quality, frontend
quality, tests, Docker build, and security audits. Add cargo-audit,
bun audit, and Trivy filesystem scanning. Allow formatting checks to
pass with warnings on push events while failing on PRs.

.github/workflows/ci.yml

@@ -11,9 +11,9 @@ env:
   RUST_BACKTRACE: 1
 
 jobs:
-  check:
+  rust-quality:
+    name: Rust Quality
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
@@ -22,44 +22,148 @@ jobs:
         with:
           components: rustfmt, clippy
 
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-on-failure: true
+
+      - name: Check formatting
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            cargo fmt --all -- --check
+          else
+            cargo fmt --all -- --check || echo "::warning::Rust formatting issues found (not failing on push)"
+          fi
+
+      - name: Clippy
+        run: cargo clippy --all-features -- -D warnings
+
+  frontend-quality:
+    name: Frontend Quality
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
       - name: Setup Bun
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
 
+      - name: Install dependencies
+        working-directory: web
+        run: bun install --frozen-lockfile
+
+      - name: Check formatting
+        working-directory: web
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            bun run format:check
+          else
+            bun run format:check || echo "::warning::Frontend formatting issues found (not failing on push)"
+          fi
+
+      - name: Lint
+        working-directory: web
+        run: bun run lint
+
+      - name: Type check
+        working-directory: web
+        run: bun run typecheck
+
+  rust-tests:
+    name: Rust Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
       - name: Cache Rust dependencies
         uses: Swatinem/rust-cache@v2
         with:
           cache-on-failure: true
 
+      - name: Run tests
+        run: cargo test --all-features
+
+  frontend-tests:
+    name: Frontend Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        working-directory: web
+        run: bun install --frozen-lockfile
+
+      - name: Run tests
+        working-directory: web
+        run: bun run test
+
+  docker-build:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        uses: taiki-e/install-action@cargo-audit
+
+      - name: Rust security audit
+        run: cargo audit
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
       - name: Install frontend dependencies
         working-directory: web
         run: bun install --frozen-lockfile
 
-      - name: Check Rust formatting
-        run: cargo fmt --all -- --check
-
-      - name: Check TypeScript formatting
+      - name: Frontend security audit
         working-directory: web
-        run: bun run format:check
+        run: bun audit --audit-level=moderate
+        continue-on-error: true
 
-      - name: TypeScript type check
-        working-directory: web
-        run: bun run typecheck
+      - name: Trivy filesystem scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 0
 
-      - name: ESLint
-        working-directory: web
-        run: bun run lint
-
-      - name: Clippy
-        run: cargo clippy --all-features -- --deny warnings
-
-      - name: Run tests
-        run: cargo test --all-features
-
-      - name: Build frontend
-        working-directory: web
-        run: bun run build
-
-      - name: Build backend
-        run: cargo build --release --bin banner
+      - name: Upload Trivy results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif

web/package.json

@@ -7,6 +7,8 @@
     "build": "vite build",
     "preview": "vite preview",
     "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "typecheck": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "lint": "biome check .",
     "test": "vitest run",
     "format": "biome format --write .",
     "format:check": "biome format ."