vortex.dev/.github/workflows/ci.yml at main · vortex-data/vortex.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: CI

on:
  push:
    branches: [main]
  pull_request:

# Cancel in-flight runs for the same workflow + ref. Including
# `github.workflow` in the key keeps this from colliding with any other
# workflow that happens to share a ref-based group prefix.
concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Least-privilege: this workflow only reads the repo to lint/build/verify; it
# never writes back. Anything that needs write scopes lives in a separate
# workflow with its own scoped permissions.
permissions:
  contents: read

jobs:
  ci:
    name: Lint, build, verify
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
        with:
          bun-version: 1.3.13

      # Bun is the package manager and script runner, but Next.js (and tsc)
      # run on Node. ubuntu-latest's default Node version drifts; pin via
      # .nvmrc so a future GitHub bump can't break the build silently.
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
        with:
          node-version-file: .nvmrc

      # Cache Bun's resolved package store keyed on the lockfile hash. Cuts
      # ~10s off `bun install` on a clean runner; the restore-key falls back
      # to any prior cache from this OS so partial hits still help.
      - name: Cache Bun install cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
          restore-keys: |
            ${{ runner.os }}-bun-

      # Cache Next.js's incremental build output. Keyed on lockfile + commit
      # SHA so the exact-key match is always per-commit fresh; restore-keys
      # fall back to any previous build on the same lockfile, then any build
      # on this OS — so most CI runs hit a cache and skip rebuilding
      # unchanged webpack modules.
      - name: Cache Next.js build cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
        with:
          path: ${{ github.workspace }}/.next/cache
          key: ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-nextjs-${{ hashFiles('bun.lock') }}-
            ${{ runner.os }}-nextjs-

      - name: Install
        run: bun install --frozen-lockfile

      - name: Lint + format check
        run: bun run check:ci

      # Build BEFORE typecheck: the build runs velite (populating .velite/
      # which the `#site/content` path alias resolves to) and produces
      # next-env.d.ts. tsc fails without these, so order matters here.
      - name: Build
        run: bun run build

      - name: Type check
        run: bun run typecheck

      - name: Start server
        run: |
          bun run start > /tmp/server.log 2>&1 &
          echo $! > /tmp/server.pid
          for i in $(seq 1 30); do
            if curl -sf http://localhost:3000 > /dev/null; then
              echo "server ready"
              exit 0
            fi
            sleep 1
          done
          echo "server failed to start in 30s"
          cat /tmp/server.log
          exit 1

      - name: Verify endpoints
        run: bun run verify

      # Hard-gates on vulnerable direct/transitive deps. Two advisories are
      # ignored because they're upstream-blocked (both via @lhci/cli@0.15.1
      # and resend's transitive svix; both dev-/server-side with no
      # exploitable code path) — see CLAUDE.md "Audit advisories" for
      # context and removal triggers. Any new advisory fails the job.
      - name: Dependency audit
        run: bun audit --ignore=GHSA-w5hq-g745-h8pq --ignore=GHSA-52f5-9888-hmc6

      # Playwright browsers are ~250 MB. Cache them keyed on the
      # @playwright/test version pinned in package.json — invalidates on
      # bumps, hits otherwise. System deps (apt packages) aren't covered by
      # the cache, so install those separately even on cache hit (~10s vs
      # ~3min for the full install).
      - name: Get Playwright version
        id: playwright-version
        run: |
          VERSION=$(grep -oE '"@playwright/test": "[^"]+"' package.json | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
          echo "version=$VERSION" >> $GITHUB_OUTPUT

      - name: Cache Playwright browsers
        id: playwright-cache
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}

      - name: Install Playwright browsers (cache miss)
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: bunx playwright install --with-deps chromium webkit

      - name: Install Playwright system deps (cache hit)
        if: steps.playwright-cache.outputs.cache-hit == 'true'
        run: bunx playwright install-deps chromium webkit

      - name: Browser smoke tests
        run: bun run test:e2e

      - name: Upload Playwright report
        if: failure()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: playwright-report
          path: playwright-report/
          retention-days: 7

      - name: Stop server
        if: always()
        run: |
          if [ -f /tmp/server.pid ]; then
            kill $(cat /tmp/server.pid) 2>/dev/null || true
          fi

      - name: Server logs (on failure)
        if: failure()
        run: cat /tmp/server.log || true

  # Runs only on PRs (no baseline diff to compute on a push to main).
  # Compares the PR's dependency manifest against main and flags
  # high-severity advisories or license incompatibilities. Posts a summary
  # comment on the PR when it finds something. continue-on-error while we
  # establish a baseline of acceptable findings.
  dependency-review:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - name: Dependency Review
        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48  # v4.9.0
        continue-on-error: true
        with:
          fail-on-severity: high
          comment-summary-in-pr: on-failure