ci: add Windows runners to catch cross-platform regressions#33
Merged
Conversation
The previous PR (#32) fixed three production bugs that were invisible in CI because every job ran on ubuntu-latest. This adds Windows coverage so the same class of bug fails CI before it lands. New jobs: - test-windows: full matrix of Node 20, 22, 24 on windows-latest. Mirrors the existing ubuntu test matrix step-for-step except it skips the coverage upload (already produced by the ubuntu Node 20 leg). fail-fast: false so a single Node-version failure does not mask others. - e2e-windows: runs npm run test:e2e:cli only. The CLI e2e suite uncovered the HOME->USERPROFILE bug fixed in #32, so it is the highest-value Windows e2e to gate on. The Playwright-driven web e2e is left ubuntu-only because it has not been validated end-to-end on Windows in this change. Both new jobs are added to the build and sbom needs lists so a Windows failure blocks the rest of the pipeline. Lint, typecheck, dependency-review, build, and sbom remain ubuntu-only. They are platform-agnostic and adding Windows there would not catch additional bugs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #32. The 3 production bugs fixed there were invisible to CI because every job runs on
ubuntu-latest. This adds Windows coverage so the same class of bug fails CI before it lands.Changes
testtest-windows(new)teststep-for-step. Skips coverage upload (already produced by ubuntu Node 20).fail-fast: falseso one Node-version failure doesn't mask others.e2etest:e2e(CLI + Playwright web).e2e-windows(new)test:e2e:clionly. The CLI e2e is what surfaced theHOME → USERPROFILEbug fixed in #32, so it's the highest-value Windows e2e to gate on.lint,typecheck,dependency-review,build,sbombuild.needsandsbom.needsnow include the new Windows jobs, so a Windows failure blocks the rest of the pipeline.Why not run Playwright web e2e on Windows too?
I haven't validated the Playwright web suite on Windows in this change. Adding it without validation could yield unrelated, noisy failures and erode trust in the gate. Easy to add as a second follow-up once it's been verified.
Why not also run lint/typecheck/build on Windows?
.jsthat runs anywhere; the build scripts (cpSync, inline node) are portable. (Verified locally.)Cost
3 extra Windows test jobs + 1 Windows e2e job per CI run. Tests run ~10s on Windows locally, so the runner-minute impact is small.
Out of scope
The other follow-up I noted in #32 — symlink-realpath hardening on the file-download endpoint — is not addressed here. The web routes only serve files the analyzer itself wrote (plain markdown/JSON), so there's no realistic path for an attacker to plant a symlink inside the served directory. Happy to revisit if generated outputs ever start including arbitrary files (e.g., copied from cloned repos).