Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 10
commit-message:
prefix: ci
groups:
github-actions:
patterns: ["*"]
labels:
- dependencies
- github-actions

- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
open-pull-requests-limit: 10
commit-message:
prefix: chore
prefix-development: chore
include: scope
groups:
# Dev-only minor/patch — auto-merge candidates (vitest, typescript,
# vite plugins). One PR keeps churn down.
dev-deps-minor:
dependency-type: development
update-types: [minor, patch]
# Runtime minor/patch — small surface (js-yaml only) but still group.
prod-deps-minor:
dependency-type: production
update-types: [minor, patch]
# All majors get their own PR per package — no grouping — so the
# human review queue can evaluate them individually.
labels:
- dependencies
- npm
ignore:
# Stay on a stable Node major; bump deliberately, not via dependabot.
- dependency-name: "@types/node"
update-types: [version-update:semver-major]
38 changes: 36 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,49 @@ on:
push:
branches: [main]

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22.22.0
node-version: 24.14.0
cache: npm
- run: npm ci
- run: npx tsc --noEmit
- run: npx vitest run --coverage --passWithNoTests

security:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0

- uses: actions/setup-node@v6
with:
node-version: 24.14.0
cache: npm

- run: npm ci

# Dependency audit — fail on high/critical vulnerabilities
- name: npm audit
run: npm audit --audit-level=high

# Build output size gate — single-file HTML should stay under 150 KB
- name: Build and check output size
run: |
npm run build
size=$(stat -c%s dist/index.html)
echo "Build output: ${size} bytes"
if [ "$size" -gt 153600 ]; then
echo "::error::Build output exceeds 150 KB (${size} bytes) — unexpected bloat"
exit 1
fi
33 changes: 33 additions & 0 deletions .github/workflows/dependabot-automerge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Dependabot auto-merge

on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]

permissions:
contents: write
pull-requests: write

jobs:
automerge:
if: github.event.pull_request.user.login == 'dependabot[bot]'
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Fetch Dependabot metadata
id: meta
uses: dependabot/fetch-metadata@v2.4.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

# Auto-merge minor and patch updates only — major updates go to a
# human review queue. github-actions and dev-only npm minor/patch are
# the safest categories and historically clean every time CI passes.
- name: Enable auto-merge for safe updates
if: |
steps.meta.outputs.update-type == 'version-update:semver-minor' ||
steps.meta.outputs.update-type == 'version-update:semver-patch'
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"
7 changes: 4 additions & 3 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,20 @@ concurrency:
jobs:
deploy:
runs-on: ubuntu-latest
timeout-minutes: 10
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22.22.0
node-version: 24.14.0
cache: npm
- run: npm ci
- run: npm run build
- uses: actions/configure-pages@v5
- uses: actions/upload-pages-artifact@v3
- uses: actions/upload-pages-artifact@v4
with:
path: dist
- id: deployment
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Pre-commit

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
pre-commit:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- uses: pre-commit/action@v3.0.1
52 changes: 39 additions & 13 deletions .github/workflows/prerelease.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,33 @@ name: Pre-release
on:
push:
branches: [main]
# Skip pre-release for changes that don't affect the built artifact.
paths-ignore:
- '**.md'
- '.github/dependabot.yml'
- '.github/ISSUE_TEMPLATE/**'
- '.github/PULL_REQUEST_TEMPLATE/**'
- '.coderabbit.yaml'
- '.gitleaks.toml'
- '.pre-commit-config.yaml'
- '.yamllint.yml'
- '.gitignore'
- 'LICENSE'

permissions:
contents: write

jobs:
prerelease:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22.22.0
node-version: 24.14.0
cache: npm

- name: Get current version
Expand All @@ -29,31 +42,44 @@ jobs:
id: prerelease
env:
BASE_VERSION: ${{ steps.version.outputs.version }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
run: |
LATEST=$(git tag -l "v${BASE_VERSION}-pre.*" --sort=-version:refname | head -n1)
# Derive the next number from existing RELEASES (incl. drafts + already
# published immutable releases), NOT git tags. Under immutable releases a
# pre-release tag can be permanently reserved in the release ledger while
# never materializing as a git ref, so git-tag-based numbering collides on
# the same number every run. The releases list always reflects burned tags.
LATEST=$(gh api "repos/${REPO}/releases" --paginate \
--jq ".[].tag_name | select(startswith(\"v${BASE_VERSION}-pre.\"))" \
| sed "s|^v${BASE_VERSION}-pre.||" | sort -n | tail -n1)
if [ -z "$LATEST" ]; then
NUM=1
else
NUM=$(echo "$LATEST" | sed "s/v${BASE_VERSION}-pre\.\([0-9]*\)/\1/")
NUM=$((NUM + 1))
NUM=$((LATEST + 1))
fi
TAG="v${BASE_VERSION}-pre.${NUM}"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"

- run: npm ci
- run: npm run build
- run: cp dist/index.html compose-sanitizer.html
- run: cp dist/index.html docker-compose-debugger.html

- name: Create pre-release tag
env:
TAG: ${{ steps.prerelease.outputs.tag }}
run: |
git tag "$TAG"
git push origin "$TAG"

# The repo has immutable releases enabled. softprops/action-gh-release
# creates and publishes in one step, which means the asset upload races
# against the immutable lockdown and fails. Create as draft, upload the
# asset, then publish in a follow-up step.
- uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.prerelease.outputs.tag }}
files: compose-sanitizer.html
files: docker-compose-debugger.html
generate_release_notes: true
prerelease: true
draft: true

- name: Publish pre-release
env:
TAG: ${{ steps.prerelease.outputs.tag }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "$TAG" --repo "${{ github.repository }}" --draft=false
18 changes: 14 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,27 @@ permissions:
jobs:
release:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22.22.0
node-version: 24.14.0
cache: npm
- run: npm ci
- run: npm run build
- run: cp dist/index.html compose-sanitizer.html
- run: cp dist/index.html docker-compose-debugger.html
# Immutable releases require draft-first so assets can be attached
# before the release is locked.
- uses: softprops/action-gh-release@v2
with:
files: compose-sanitizer.html
files: docker-compose-debugger.html
generate_release_notes: true
prerelease: ${{ contains(github.ref, '-') }}
draft: true

- name: Publish release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: ${{ github.ref_name }}
run: gh release edit "$TAG" --repo "${{ github.repository }}" --draft=false
32 changes: 26 additions & 6 deletions .github/workflows/stable-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ permissions:
jobs:
release:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: 22.22.0
node-version: 24.14.0
cache: npm

- name: Validate version format
Expand All @@ -42,13 +43,16 @@ jobs:
- name: Update package.json version
env:
VERSION: ${{ inputs.version }}
run: npm version "$VERSION" --no-git-tag-version
# `npm version` errors when the requested version equals the current
# (which happens when the version was bumped in a PR before the
# release workflow runs). `npm pkg set` is idempotent.
run: npm pkg set "version=$VERSION"

- run: npm ci
- run: npx tsc --noEmit
- run: npx vitest run --passWithNoTests
- run: npm run build
- run: cp dist/index.html compose-sanitizer.html
- run: cp dist/index.html docker-compose-debugger.html

- name: Commit version bump and tag
env:
Expand All @@ -57,13 +61,29 @@ jobs:
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add package.json package-lock.json
git commit -m "chore: release v${VERSION}"
# If the version was already bumped in a PR (so package.json/lock
# are unchanged here) skip the commit. The tag and push still need
# to run.
if ! git diff --cached --quiet; then
git commit -m "chore: release v${VERSION}"
else
echo "package.json already at v${VERSION}; skipping bump commit"
fi
git tag "v${VERSION}"
git push origin main --follow-tags

# Immutable releases require draft-first so assets can be attached
# before the release is locked.
- uses: softprops/action-gh-release@v2
with:
tag_name: v${{ inputs.version }}
files: compose-sanitizer.html
files: docker-compose-debugger.html
generate_release_notes: true
prerelease: false
draft: true

- name: Publish release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG: v${{ inputs.version }}
run: gh release edit "$TAG" --repo "${{ github.repository }}" --draft=false
13 changes: 13 additions & 0 deletions .gitleaks.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Gitleaks configuration
# https://github.com/gitleaks/gitleaks

title = "docker-compose-debugger gitleaks config"

[allowlist]
description = "Global allowlist"
paths = [
'''node_modules/''',
'''dist/''',
'''coverage/''',
'''package-lock\.json''',
]
Loading
Loading