You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -122,6 +122,7 @@ Errors: `{ "error": "message" }`. Rate limit: `429` with standard rate-limit hea
122
122
|`npm run test:watch`| Vitest watch. |
123
123
|`npm run test:coverage`| Tests + coverage. |
124
124
|`npm run lint`| ESLint. |
125
+
|`npm run contract`| Validate `docs/openapi.yaml` with Redocly CLI. |
125
126
|`npm run smoke`| Curl-based smoke test against a running instance (`BASE_URL`, `QUERY`, `COUNT`, optional `CLIENT_API_KEY`). |
126
127
|`npm run benchmark:local`| Builds the app, starts a fake GNews provider, and measures cold searches vs warm cache hits. See [docs/BENCHMARKS.md](docs/BENCHMARKS.md). |
Copy file name to clipboardExpand all lines: docs/CI.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,26 +9,27 @@ The [workflow](../.github/workflows/ci.yml) runs on `ubuntu-latest` with **Node.
9
9
1.**`npm ci`** — reproducible install from `package-lock.json`.
10
10
2.**`npm audit --audit-level=high`** — fails the job if high or critical advisories remain.
11
11
3.**`npm run lint`** — [ESLint](https://eslint.org/) on `src/`, `test/`, and `vitest.config.ts`.
12
-
4.**`npm test`** — [Vitest](https://vitest.dev/). GNews is **not** called: tests mock `axios`; no API key in GitHub Actions.
13
-
5.**`npm run test:coverage`** — **Node 22 only**; uploads the `coverage/` directory (including `lcov.info`) as a workflow artifact named `coverage-lcov`.
14
-
6.**[Codecov](https://codecov.io)** — **Node 22 only**; uploads `coverage/lcov.info`. For private repos set repository secret `CODECOV_TOKEN`. `fail_ci_if_error` is off so missing token does not break the build.
15
-
7.**`npm run build`** — TypeScript compile to `dist/`.
12
+
4.**`npm run contract`** — [Redocly CLI](https://redocly.com/docs/cli) validates `docs/openapi.yaml` so the published API contract stays parseable and policy-compliant.
13
+
5.**`npm test`** — [Vitest](https://vitest.dev/). GNews is **not** called: tests mock `axios`; no API key in GitHub Actions.
14
+
6.**`npm run test:coverage`** — **Node 22 only**; uploads the `coverage/` directory (including `lcov.info`) as a workflow artifact named `coverage-lcov`.
15
+
7.**[Codecov](https://codecov.io)** — **Node 22 only**; uploads `coverage/lcov.info`. For private repos set repository secret `CODECOV_TOKEN`. `fail_ci_if_error` is off so missing token does not break the build.
16
+
8.**`npm run build`** — TypeScript compile to `dist/`.
16
17
17
18
### Container (`docker` job)
18
19
19
-
8.**Buildx build** — [Dockerfile](../Dockerfile) with **`provenance: mode=max`** and **SBOM** (no registry push). Validates supply-chain metadata generation in CI.
20
+
9.**Buildx build** — [Dockerfile](../Dockerfile) with **`provenance: mode=max`** and **SBOM** (no registry push). Validates supply-chain metadata generation in CI.
20
21
21
22
### Pull requests only
22
23
23
-
9.**[Dependency review](../.github/workflows/dependency-review.yml)** — flags vulnerable or blocked dependencies introduced by the PR.
24
+
10.**[Dependency review](../.github/workflows/dependency-review.yml)** — flags vulnerable or blocked dependencies introduced by the PR.
24
25
25
26
### Every push / PR (supply chain)
26
27
27
-
10.**[SBOM](../.github/workflows/supply-chain.yml)** — [Anchore SBOM Action](https://github.com/anchore/sbom-action) produces SPDX JSON and uploads it as a workflow artifact.
28
+
11.**[SBOM](../.github/workflows/supply-chain.yml)** — [Anchore SBOM Action](https://github.com/anchore/sbom-action) produces SPDX JSON and uploads it as a workflow artifact.
28
29
29
30
### `main` branch pushes only
30
31
31
-
11.**[Provenance](../.github/workflows/provenance.yml)** — [build provenance attestation](https://github.com/actions/attest-build-provenance) for `package-lock.json` (best-effort; `continue-on-error` if attestations are unavailable on the plan).
32
+
12.**[Provenance](../.github/workflows/provenance.yml)** — [build provenance attestation](https://github.com/actions/attest-build-provenance) for `package-lock.json` (best-effort; `continue-on-error` if attestations are unavailable on the plan).
32
33
33
34
### Code scanning (`CodeQL` workflow)
34
35
@@ -48,6 +49,7 @@ When you push an annotated tag matching `v*.*.*`, [release.yml](../.github/workf
0 commit comments