chore(deps): bump actions/checkout from 4 to 6 #160
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| quality: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pnpm/action-setup@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Build shared package | |
| run: pnpm --filter @context-sync/shared build | |
| - name: Lint | |
| run: pnpm lint | |
| - name: Typecheck | |
| run: pnpm typecheck | |
| - name: Test with coverage | |
| run: pnpm test:coverage | |
| audit: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pnpm/action-setup@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Security audit | |
| run: | | |
| # fast-jwt <=6.1.0 has 2 unpatched advisories (patched: <0.0.0): | |
| # GHSA-mvf2-f6gm-w987 (RSA algorithm confusion — not applicable: HMAC-only) | |
| # GHSA-hm7r-c7qw-ghp6 (crit header — not applicable: self-issued tokens only) | |
| # Filter these known advisories until upstream fix is released. | |
| AUDIT_OUTPUT=$(pnpm audit --audit-level=high 2>&1) || true | |
| echo "$AUDIT_OUTPUT" | |
| FILTERED=$(echo "$AUDIT_OUTPUT" | grep -c "vulnerabilities found" || true) | |
| if [ "$FILTERED" -gt 0 ]; then | |
| HIGH_PLUS=$(echo "$AUDIT_OUTPUT" | grep -oP '\d+ high' | grep -oP '\d+' || echo "0") | |
| CRITICAL=$(echo "$AUDIT_OUTPUT" | grep -oP '\d+ critical' | grep -oP '\d+' || echo "0") | |
| FAST_JWT_COUNT=$(echo "$AUDIT_OUTPUT" | grep -c "fast-jwt" || echo "0") | |
| ACTIONABLE=$((HIGH_PLUS + CRITICAL - FAST_JWT_COUNT)) | |
| if [ "$ACTIONABLE" -gt 0 ]; then | |
| echo "::error::Found $ACTIONABLE actionable high/critical vulnerabilities (excluding known fast-jwt advisories)" | |
| exit 1 | |
| fi | |
| echo "Only known fast-jwt advisories found (no upstream fix available) — passing" | |
| fi | |
| e2e-clean: | |
| needs: quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pnpm/action-setup@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: '.nvmrc' | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Build shared package | |
| run: pnpm --filter @context-sync/shared build | |
| - name: Install Playwright browsers | |
| run: pnpm exec playwright install --with-deps chromium | |
| - name: Run clean environment E2E tests | |
| run: pnpm test:e2e:clean |