TehRiehlDeal
6fd0df0379
frontend-ci / secrets-scan (push) Successful in 5s
frontend-ci / sast (push) Successful in 8s
frontend-ci / fs-scan (push) Successful in 13s
frontend-ci / lint (push) Successful in 15s
frontend-ci / typecheck (push) Successful in 15s
frontend-ci / build (push) Successful in 37s
frontend-ci / push (push) Has been skipped
frontend-ci / secrets-scan (pull_request) Successful in 4s
frontend-ci / sast (pull_request) Successful in 8s
frontend-ci / fs-scan (pull_request) Successful in 11s
frontend-ci / lint (pull_request) Successful in 14s
frontend-ci / typecheck (pull_request) Successful in 14s
frontend-ci / build (pull_request) Successful in 38s
frontend-ci / push (pull_request) Has been skipped
Lint had it explicit; typecheck relied on setup-node's lockfile auto-discovery, which can fail with a fast (1s) exit on the Gitea runner. Mirror the backend fix and set the path explicitly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
119 lines
3.5 KiB
YAML
119 lines
3.5 KiB
YAML
name: frontend-ci
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
tags: ["v*"]
|
|
pull_request:
|
|
|
|
env:
|
|
IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
cache-dependency-path: package-lock.json
|
|
- run: npm ci
|
|
- run: npx eslint .
|
|
|
|
typecheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
cache-dependency-path: package-lock.json
|
|
- run: npm ci
|
|
- run: npx tsc -b
|
|
|
|
secrets-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Install and run gitleaks
|
|
run: |
|
|
GL_VERSION=8.18.4
|
|
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
|
|
| tar xz -C /tmp gitleaks
|
|
/tmp/gitleaks detect --redact --no-banner --verbose --source .
|
|
|
|
sast:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: returntocorp/semgrep-action@v1
|
|
with:
|
|
config: "p/auto"
|
|
|
|
fs-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install and run Trivy (filesystem)
|
|
run: |
|
|
TRIVY_VERSION=0.70.0
|
|
curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
|
|
| tar xz -C /tmp trivy
|
|
/tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress .
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
needs: [lint, typecheck]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
tags: movieloop-frontend:ci-${{ github.sha }}
|
|
load: true
|
|
- name: Install and run Trivy (image)
|
|
run: |
|
|
TRIVY_VERSION=0.70.0
|
|
curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
|
|
| tar xz -C /tmp trivy
|
|
/tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \
|
|
movieloop-frontend:ci-${{ github.sha }}
|
|
|
|
push:
|
|
runs-on: ubuntu-latest
|
|
needs: [build, secrets-scan, sast, fs-scan]
|
|
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ secrets.HARBOR_HOST }}
|
|
username: ${{ secrets.MOVIELOOP_USERNAME }}
|
|
password: ${{ secrets.MOVIELOOP_PASSWORD }}
|
|
- uses: docker/metadata-action@v5
|
|
id: meta
|
|
with:
|
|
images: ${{ env.IMAGE }}
|
|
tags: |
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=sha,format=long
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|