Skip to content
CI

Add SECURITY.md and CONTRIBUTING.md for openCode badge eligibility #190

Sign in to view logs

Add SECURITY.md and CONTRIBUTING.md for openCode badge eligibility

Add SECURITY.md and CONTRIBUTING.md for openCode badge eligibility #190

Workflow file for this run

.github/workflows/ci.yml at 6d166ca
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
build-and-test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [22]
steps:
- uses: actions/checkout@v6
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install dependencies
run: npm ci
# ── Verification pipeline ─────────────────────────────────────────────
#
# Order matches the local canonical pipeline (state56):
# format:check → lint → build → test → validate-html → ODF-validator
#
# Rationale: fail fast on the cheapest checks first (format/lint take
# seconds and don't depend on build output), then build, then test,
# then the heavier validators. A single mental model across local and
# CI makes failures faster to reproduce locally.
- name: Check formatting
run: npm run format:check
- name: Lint
run: npm run lint
- name: Build
run: npm run build
- name: Test
run: npm test
- name: Validate HTML
run: npm run validate-html
# ── ODF Spec Validation ───────────────────────────────────────────────
#
# Downloads the OASIS ODF Validator jar (cached between runs) and
# validates a comprehensive fixture document generated by odf-kit.
# The build fails if the validator reports any spec errors.
- name: Cache ODF Validator jar
id: cache-validator
uses: actions/cache@v5
with:
path: .cache/odfvalidator.jar
key: odfvalidator-0.12.0
- name: Download ODF Validator
if: steps.cache-validator.outputs.cache-hit != 'true'
run: |
mkdir -p .cache
curl -sSL -o .cache/odfvalidator.jar \
"https://repo1.maven.org/maven2/org/odftoolkit/odfvalidator/0.12.0/odfvalidator-0.12.0-jar-with-dependencies.jar"
- name: Generate validator fixture
run: node scripts/generate-validator-fixture.mjs
- name: Validate fixture against ODF spec
run: |
OUTPUT=$(java -jar .cache/odfvalidator.jar validator-fixture.odt 2>&1)
echo "$OUTPUT"
if echo "$OUTPUT" | grep -qi "error"; then
echo ""
echo "❌ ODF validation failed — spec errors detected in generated output."
exit 1
fi
echo "✅ ODF validation passed."
# ── Pages artifact upload ─────────────────────────────────────────────
#
# Push to main only (not PRs). The freshly built docs/ directory is
# uploaded as a Pages artifact, picked up by the deploy job below.
# docs/tools/index.html is gitignored — it exists only here, in the
# artifact, and on the deployed site. Source/artifact separation
# preserved end-to-end.
- name: Setup Pages
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: actions/configure-pages@v5
- name: Upload Pages artifact
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: actions/upload-pages-artifact@v3
with:
path: ./docs
# ── Deploy to GitHub Pages ──────────────────────────────────────────────
#
# Runs only after build-and-test passes, only on push to main, never
# on PRs. Permissions scoped to this job only — the rest of the
# workflow keeps the minimal contents:read default.
#
# Concurrency limits to one deploy at a time without canceling queued
# deploys, so rapid pushes deploy in commit order.
deploy:
needs: build-and-test
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
concurrency:
group: pages
cancel-in-progress: false
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4