fix: remove all Replit dependencies; implement ACME TLS, audit log, d… #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Cancel in-progress runs for the same ref | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| NODE_VERSION: "24" | |
| PNPM_VERSION: "10" | |
| jobs: | |
| # ── Typecheck ────────────────────────────────────────────────────────────── | |
| typecheck: | |
| name: TypeScript | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: ${{ env.PNPM_VERSION }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: pnpm | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Typecheck (all packages) | |
| run: pnpm run typecheck | |
| # ── OpenAPI spec validation ──────────────────────────────────────────────── | |
| openapi: | |
| name: OpenAPI Spec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Redocly CLI | |
| run: npm install -g @redocly/cli@latest | |
| - name: Validate OpenAPI spec | |
| run: redocly lint lib/api-spec/openapi.yaml --format=stylish | |
| - name: Check spec version matches package.json | |
| run: | | |
| SPEC_VERSION=$(grep "^ version:" lib/api-spec/openapi.yaml | head -1 | awk '{print $2}' | tr -d '"') | |
| PKG_VERSION=$(node -p "require('./package.json').version" 2>/dev/null || echo "0.0.0") | |
| echo "Spec version: $SPEC_VERSION" | |
| echo "Package version: $PKG_VERSION" | |
| # Warn if they diverge (not a hard failure yet — enforced once we reach 1.0) | |
| if [ "$SPEC_VERSION" != "$PKG_VERSION" ]; then | |
| echo "::warning::OpenAPI spec version ($SPEC_VERSION) does not match package.json ($PKG_VERSION)" | |
| fi | |
| # ── Build ────────────────────────────────────────────────────────────────── | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [typecheck] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: pnpm/action-setup@v4 | |
| with: | |
| version: ${{ env.PNPM_VERSION }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: pnpm | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Build shared libs | |
| run: | | |
| pnpm --filter @workspace/db run build 2>/dev/null || true | |
| pnpm --filter @workspace/api-zod run build 2>/dev/null || true | |
| - name: Build API server | |
| run: pnpm --filter @workspace/api-server run build | |
| - name: Build frontend | |
| run: pnpm --filter @workspace/federated-hosting run build | |
| - name: Build CLI | |
| run: pnpm --filter @workspace/cli run build 2>/dev/null || true | |
| # ── Docker build check ───────────────────────────────────────────────────── | |
| docker: | |
| name: Docker | |
| runs-on: ubuntu-latest | |
| # Only run on push to main (not PRs) to save CI minutes | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image (no push) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| tags: federated-hosting:ci | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |