Add CI pipeline: type checking, integration tests, security scanning

van-reflect · van-reflect · commit ebb34faf2199 · 2026-03-07T09:18:24.000-08:00
GitHub Actions workflow (.github/workflows/ci.yml) runs on every push and PR to main with four parallel jobs: 1. TypeScript compile (tsc --noEmit, strict mode) 2. Integration test suite against the live API 3. Security checks: secret pattern scanning, .gitignore verification, sensitive file tracking detection 4. Dependency audit (npm audit --production, high severity threshold) Integration test suite (tests/api.test.mjs): - Zero dependencies, native fetch + node:assert - 20 test cases covering auth, writes (all memory_type values), validation (empty title, missing content, invalid type), reads, browse, tag filtering, 404 handling, and response shape assertions - Verifies error responses do not leak stack traces or file paths - Each run uses a unique tag for test data isolation - Runnable standalone: REFLECT_TEST_API_KEY=key node tests/api.test.mjs Security scanner (.github/workflows/security.yml): - Scans for AWS, Stripe, OpenAI, GitHub, Slack, SendGrid, and Reflect Memory key patterns across all tracked files - Verifies .env, credentials.json, and similar files are not tracked Requires REFLECT_TEST_API_KEY repository secret for integration tests. REFLECT_TEST_BASE_URL configurable via repository variables (defaults to https://api.reflectmemory.com). Made-with: Cursor
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,118 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  NODE_VERSION: "20"
+
+jobs:
+  typecheck:
+    name: TypeScript Compile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: npm
+      - run: npm ci
+      - run: npx tsc --noEmit
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+    env:
+      REFLECT_TEST_API_KEY: ${{ secrets.REFLECT_TEST_API_KEY }}
+      REFLECT_TEST_BASE_URL: ${{ vars.REFLECT_TEST_BASE_URL }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      - name: Run API integration tests
+        run: node tests/api.test.mjs
+
+  security:
+    name: Security Checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify .env files are gitignored
+        run: |
+          MISSING=0
+          for pattern in '.env' '.env.local' '.env.production'; do
+            if ! grep -q "^${pattern}$" .gitignore 2>/dev/null && \
+               ! grep -q "^\.env\*$" .gitignore 2>/dev/null; then
+              echo "::warning::${pattern} not explicitly in .gitignore"
+            fi
+          done
+          if ! grep -q '\.env' .gitignore 2>/dev/null; then
+            echo "::error::.env is not in .gitignore"
+            exit 1
+          fi
+
+      - name: Verify no sensitive files are tracked
+        run: |
+          SENSITIVE=(.env .env.local .env.production credentials.json serviceAccountKey.json)
+          for f in "${SENSITIVE[@]}"; do
+            if git ls-files --error-unmatch "$f" 2>/dev/null; then
+              echo "::error::Sensitive file '${f}' is tracked by git — remove it and rotate credentials"
+              exit 1
+            fi
+          done
+
+      - name: Scan for hardcoded secrets
+        run: |
+          PATTERNS=(
+            'AKIA[0-9A-Z]{16}'
+            'sk-[a-zA-Z0-9]{20,}'
+            'sk_live_[a-zA-Z0-9]{20,}'
+            'rk_live_[a-zA-Z0-9]{20,}'
+            'ghp_[a-zA-Z0-9]{36}'
+            'gho_[a-zA-Z0-9]{36}'
+            'github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'
+            'glpat-[a-zA-Z0-9\-]{20,}'
+            'xox[bpors]-[a-zA-Z0-9\-]+'
+            'SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}'
+            'rm_live_[a-f0-9]{48}'
+          )
+
+          FAILED=0
+          for pattern in "${PATTERNS[@]}"; do
+            MATCHES=$(grep -rEn "$pattern" \
+              --include='*.ts' --include='*.js' --include='*.mjs' \
+              --include='*.json' --include='*.yml' --include='*.yaml' \
+              --include='*.md' --include='*.env.*' \
+              --exclude-dir=node_modules --exclude-dir=dist \
+              --exclude-dir=.git --exclude='package-lock.json' \
+              --exclude='ci.yml' --exclude='security.yml' \
+              . 2>/dev/null || true)
+
+            if [ -n "$MATCHES" ]; then
+              echo "::error::Potential secret matching: ${pattern:0:20}..."
+              echo "$MATCHES" | head -5
+              FAILED=1
+            fi
+          done
+
+          if [ "$FAILED" -eq 1 ]; then
+            exit 1
+          fi
+
+  audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: npm
+      - run: npm ci
+      - run: npm audit --production --audit-level=high
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,82 @@
+# Reflect Memory — Security Scanner
+# Runs on the public repo. Scans all files for accidentally committed secrets.
+
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  secrets-scan:
+    name: Scan for Secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Scan all files for hardcoded secrets
+        run: |
+          echo "Scanning repository for hardcoded secrets..."
+
+          PATTERNS=(
+            'AKIA[0-9A-Z]{16}'                                                    # AWS access key ID
+            'sk-[a-zA-Z0-9]{20,}'                                                 # OpenAI / Stripe secret key
+            'sk_live_[a-zA-Z0-9]{20,}'                                             # Stripe live secret key
+            'rk_live_[a-zA-Z0-9]{20,}'                                             # Stripe restricted key
+            'ghp_[a-zA-Z0-9]{36}'                                                  # GitHub PAT
+            'gho_[a-zA-Z0-9]{36}'                                                  # GitHub OAuth
+            'github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}'                           # GitHub fine-grained PAT
+            'glpat-[a-zA-Z0-9\-]{20,}'                                             # GitLab PAT
+            'xox[bpors]-[a-zA-Z0-9\-]+'                                            # Slack token
+            'hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+'       # Slack webhook
+            'sq0atp-[a-zA-Z0-9\-_]{22}'                                            # Square access token
+            'eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}'      # JWT
+            'SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}'                            # SendGrid API key
+            'key-[a-zA-Z0-9]{32}'                                                  # Mailgun key
+            'rm_live_[a-f0-9]{48}'                                                 # Reflect Memory live key
+          )
+
+          FAILED=0
+          for pattern in "${PATTERNS[@]}"; do
+            MATCHES=$(grep -rEn "$pattern" \
+              --exclude-dir=node_modules --exclude-dir=dist \
+              --exclude-dir=.git --exclude='package-lock.json' \
+              --exclude='security.yml' --exclude='ci.yml' \
+              . 2>/dev/null || true)
+
+            if [ -n "$MATCHES" ]; then
+              echo "::error::Potential secret matching pattern: ${pattern:0:30}..."
+              echo "$MATCHES" | head -20
+              FAILED=1
+            fi
+          done
+
+          if [ "$FAILED" -eq 1 ]; then
+            echo ""
+            echo "::error::Secrets detected in repository. Remove them and rotate the credentials."
+            exit 1
+          fi
+
+          echo "✓ No hardcoded secrets detected"
+
+      - name: Verify sensitive files are gitignored
+        run: |
+          SENSITIVE_FILES=(.env .env.local .env.production credentials.json serviceAccountKey.json)
+          FAILED=0
+
+          for f in "${SENSITIVE_FILES[@]}"; do
+            if git ls-files --error-unmatch "$f" 2>/dev/null; then
+              echo "::error::Sensitive file '$f' is tracked by git"
+              FAILED=1
+            fi
+          done
+
+          if [ "$FAILED" -eq 1 ]; then
+            exit 1
+          fi
+
+          echo "✓ No sensitive files tracked"
diff --git a/tests/api.test.mjs b/tests/api.test.mjs
