Skip to content

feat(ladder): add per-account config + schema foundation (default-off) #524

feat(ladder): add per-account config + schema foundation (default-off)

feat(ladder): add per-account config + schema foundation (default-off) #524

name: Frontend build (PR)
# Pre-merge gate: catches TypeScript errors and webpack build failures
# BEFORE a PR is merged, not after. Motivated by the post-mortem in #191:
# a TS6133 error rode through to the protected branch and caused all three
# post-merge deploy jobs to fail after spending minutes on infrastructure
# only to hit the same tsc error inside the Dockerfile frontend-builder stage.
#
# Companion to frontend-build-sentinel.yml, which guards the protected
# branch post-merge against rebases and GitHub-UI merge commits.
# This job guards the PR gate itself — the earlier the catch, the cheaper.
#
# Uses pull_request (not pull_request_target) so this job runs in the
# PR-head context with no access to repository secrets. pull_request_target
# executes in the base-branch context WITH secrets, which is a known
# fork-exfiltration vector and must not be used for untrusted code builds.
#
# See also: #177 (sentinel), #191 (this PR gate).
on:
pull_request:
branches:
- main
paths:
- "frontend/**"
- ".github/workflows/frontend-build.yml"
permissions:
contents: read
concurrency:
# Cancel redundant runs when new commits are pushed to the same PR.
group: frontend-build-pr-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build frontend
runs-on: ubuntu-latest
timeout-minutes: 5
defaults:
run:
working-directory: frontend
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
- name: Set up Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "24"
cache: "npm"
cache-dependency-path: frontend/package-lock.json
- name: Install dependencies
run: npm ci
- name: Lint
run: npm run lint
- name: TypeScript typecheck
run: npm run typecheck
- name: Build
run: npm run build