feat: complete Phase 2 - API server, Dashboard, and CVE sync #14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: [main, develop] | |
| push: | |
| branches: [main, develop] | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ─── Rust ──────────────────────────────────────────────────────────────── | |
| rust: | |
| name: Rust — fmt / clippy / test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| - name: Cache Cargo | |
| uses: Swatinem/rust-cache@v2 | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Clippy (deny warnings) | |
| run: cargo clippy --workspace --all-targets -- -D warnings | |
| - name: Run tests | |
| run: cargo test --workspace | |
| # ─── Frontend ───────────────────────────────────────────────────────────── | |
| web: | |
| name: Web — lint / typecheck / test | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: apps/web | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v3 | |
| with: | |
| version: 9 | |
| - name: Get pnpm store directory | |
| id: pnpm-cache | |
| run: echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT | |
| - name: Cache pnpm store | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ steps.pnpm-cache.outputs.STORE_PATH }} | |
| key: pnpm-${{ hashFiles('apps/web/pnpm-lock.yaml') }} | |
| restore-keys: pnpm- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Lint | |
| run: pnpm lint | |
| - name: Type check | |
| run: pnpm typecheck | |
| - name: Unit tests | |
| run: pnpm test | |
| # ─── VS Code extension ──────────────────────────────────────────────────── | |
| vscode: | |
| name: VS Code extension — lint / compile | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: extensions/vscode | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v3 | |
| with: | |
| version: 9 | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Compile | |
| run: pnpm compile | |
| - name: Lint | |
| run: pnpm lint | |
| # ─── Security audit ─────────────────────────────────────────────────────── | |
| audit: | |
| name: Security audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Rust audit | |
| uses: rustsec/audit-check@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v3 | |
| with: | |
| version: 9 | |
| - name: npm audit (web) | |
| working-directory: apps/web | |
| run: pnpm install --frozen-lockfile && pnpm audit --audit-level=high | |
| # ─── Deploy (Latest) ────────────────────────────────────────────────────── | |
| deploy: | |
| name: Deploy — Build & Push (Latest) | |
| needs: [rust, web, vscode, audit] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push API (latest) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: crates/server/Dockerfile | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}-api:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push Web (latest) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./apps/web | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}-web:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |