name: CI on: push: branches: [master] pull_request: branches: [master] permissions: contents: read security-events: write env: NODE_VERSION: "20" jobs: # Code quality checks quality: name: Code Quality runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Type checking and linting run: pnpm check - name: Check formatting run: pnpm format:check # Testing test: name: Test Suite runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run tests with coverage run: pnpm test:coverage env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - name: Run tests with junit reporter run: pnpm test -- --reporter=junit --outputFile=test-report.junit.xml if: always() - name: Upload coverage reports to Codecov uses: codecov/codecov-action@v5 if: always() with: token: ${{ secrets.CODECOV_TOKEN }} - name: Upload test results to Codecov if: ${{ !cancelled() }} uses: codecov/test-results-action@v1 with: token: ${{ secrets.CODECOV_TOKEN }} # Build verification build: name: Build Application needs: [quality, test] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Build application run: pnpm build env: NODE_ENV: production # Security scanning security: name: Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run security audit run: pnpm audit --audit-level=moderate continue-on-error: true - name: Check for known vulnerabilities uses: aquasecurity/trivy-action@master with: scan-type: "fs" scan-ref: "." format: "sarif" output: "trivy-results.sarif" severity: "CRITICAL,HIGH" exit-code: 0 - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: "trivy-results.sarif"