-
Notifications
You must be signed in to change notification settings - Fork 0
112 lines (105 loc) · 3.8 KB
/
ci.yml
File metadata and controls
112 lines (105 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: CI
on:
push:
branches: [main]
tags: ['v*.*.*', 'v*.*.*-*']
pull_request:
branches: [main]
jobs:
# ── IRONCLAD M9 static firewall ──────────────────────────────────────────
# This job is the primary fast gate. It runs the static quality checks
# that should fail quickly before heavier runtime matrix jobs start.
# It MUST pass before any PR can merge. Configure as a required status check
# in GitHub branch protection settings. Security audit stays advisory here so
# CI keeps a single authoritative gate instead of duplicating lint/type work
# in a second job.
type-firewall:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- name: 'Gate 1: TypeScript compiler (advisory — JSDoc JS produces false positives across module boundaries)'
continue-on-error: true
run: npm run typecheck:src
- name: 'Gate 2: IRONCLAD policy checker (any/wildcard/ts-ignore ban)'
run: npm run typecheck:policy
- name: 'Gate 3: Consumer type surface test'
run: npm run typecheck:consumer
- name: 'Gate 4: ESLint (typed rules + no-explicit-any)'
run: npm run lint
- name: 'Gate 4b: Lint ratchet (zero-error invariant)'
run: npm run lint:ratchet
- name: 'Gate 5: Declaration surface validator (manifest vs index.d.ts vs index.js)'
run: npm run typecheck:surface
- name: 'Gate 6: Markdown lint (fenced code blocks require language)'
run: npm run lint:md
- name: 'Gate 7: Markdown JS/TS code-sample syntax check'
run: npm run lint:md:code
- name: 'Gate 8: Security audit (runtime deps, advisory)'
continue-on-error: true
run: npm audit --omit=dev --audit-level=high
typecheck-test-advisory:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v6
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- name: 'Advisory: JS test checkJs surface'
run: npm run typecheck:test
test-node:
runs-on: ubuntu-latest
strategy:
matrix:
node: [22]
steps:
- uses: actions/checkout@v6
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version: '${{ matrix.node }}'
cache: 'npm'
- name: Install BATS
run: sudo apt-get update && sudo apt-get install -y bats
- name: Install dependencies
run: npm ci
- name: Install CLI shims
run: |
sudo install -m 0755 bin/git-warp /usr/local/bin/git-warp
sudo sh -c "printf '%s\n' '#!/usr/bin/env bash' 'exec node \"$GITHUB_WORKSPACE/bin/warp-graph.js\" \"\$@\"' > /usr/local/bin/warp-graph"
sudo chmod +x /usr/local/bin/warp-graph
- name: Run unit + integration tests
run: npm run test:node22:ci
test-bun:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run Bun integration tests
run: docker compose -f docker-compose.test.yml run --rm test-bun
test-deno:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run Deno integration tests
run: docker compose -f docker-compose.test.yml run --rm test-deno
coverage-threshold:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Use Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- name: 'Gate 9: Unit coverage threshold'
run: npm run test:coverage:ci