ForgeChat/.github/workflows/ci.yml at main · Forgemind-git/ForgeChat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Least privilege: CI only needs to read the repo. Override the repo-wide
# default (which may be "read and write") so a compromised action can't push.
permissions:
  contents: read

jobs:
  backend:
    name: Backend (install + syntax check)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: backend/package-lock.json
      - name: Install
        working-directory: backend
        run: npm ci --omit=dev
      - name: Syntax-check every backend source file
        working-directory: backend
        run: |
          fail=0
          for f in $(find src scripts -type f -name "*.js"); do
            node --check "$f" || { echo "::error file=$f::Syntax error"; fail=1; }
          done
          exit $fail
      - name: Unit tests
        working-directory: backend
        run: npm test

  frontend:
    name: Frontend (build)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: frontend/package-lock.json
      - name: Install
        working-directory: frontend
        run: npm ci
      - name: Unit tests
        working-directory: frontend
        run: npm run test:unit
      - name: Build
        working-directory: frontend
        run: npm run build

  migrations:
    name: Migrations (lint SQL against Postgres 15)
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:15-alpine
        env:
          POSTGRES_PASSWORD: ci
          POSTGRES_DB: ci
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U postgres"
          --health-interval 5s --health-timeout 5s --health-retries 10
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Apply every migration in order against a fresh DB
        env:
          PGPASSWORD: ci
        run: |
          # Plain Postgres — the app uses a single `coexistence` schema and no
          # extra roles. Just create the schema, then apply migrations in order.
          psql -h localhost -U postgres -d ci -c "CREATE SCHEMA IF NOT EXISTS coexistence;"
          for f in $(ls db/migrations/*.sql | sort); do
            echo "→ Applying $f"
            psql -h localhost -U postgres -d ci -v ON_ERROR_STOP=1 -f "$f" \
              || { echo "::error file=$f::Migration failed"; exit 1; }
          done

  secret-scan:
    name: Secret scan (reject obvious tokens)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with: { fetch-depth: 0 }
      - name: Grep for high-confidence secret patterns
        run: |
          # Meta tokens (EAA…), GitHub PATs (ghp_…), OpenAI keys (sk-…), generic AKIA
          if git ls-files | xargs grep -EHn 'EAA[A-Za-z0-9_-]{60,}|ghp_[A-Za-z0-9]{30,}|sk-[A-Za-z0-9]{30,}|AKIA[0-9A-Z]{16}' 2>/dev/null; then
            echo "::error::High-confidence secret pattern detected in tracked files"
            exit 1
          fi
          echo "No secrets found in tracked files."