Skip to content

test: add coverage reporting with a threshold gate (#117) #183

test: add coverage reporting with a threshold gate (#117)

test: add coverage reporting with a threshold gate (#117) #183

Workflow file for this run

name: CI
#
# Pipeline overview
# =================
#
# Release-please and Docker delivery are combined in one workflow because
# GITHUB_TOKEN-created tags do not trigger new workflow runs. This means a
# versioned Docker image must be built in the same run that release-please
# creates the release, using its job outputs to pass the version through.
#
on:
push:
branches:
- main
pull_request:
jobs:
# Check migration files for dangerous patterns (backward compatibility).
migration-check:
name: Migration Safety
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
cache: npm
- run: npm ci
- run: npx tsx scripts/check-migrations.ts --ci
# Run svelte-check for type errors and warnings.
svelte-check:
name: Svelte Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
cache: npm
- run: npm ci
- run: npx svelte-kit sync
- run: npx svelte-check --threshold warning
# Run Prettier and ESLint (fails on any warning).
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
cache: npm
- run: npm ci
- run: npx svelte-kit sync
- run: npm run lint
# Run unit and E2E tests.
test:
name: Tests
runs-on: ubuntu-latest
services:
postgres:
image: postgres:18
env:
POSTGRES_USER: testuser
POSTGRES_PASSWORD: testpassword
POSTGRES_DB: postguard_business_test
options: >-
--health-cmd "pg_isready -U testuser -d postguard_business_test"
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
cache: npm
- run: npm ci
- run: npx vitest run --coverage
env:
DATABASE_URL: postgres://testuser:testpassword@localhost:5432/postguard_business_test
- run: npx playwright install --with-deps
- run: npx playwright test
env:
DATABASE_URL: postgres://testuser:testpassword@localhost:5432/postguard_business_test
# Create a GitHub release (and tag) when conventional commits warrant one.
release-please:
name: Release Please
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
outputs:
release_created: ${{ steps.release.outputs.release_created }}
version: ${{ steps.release.outputs.version }}
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- uses: googleapis/release-please-action@v4
id: release
with:
release-type: node
# Build each platform on its native runner and push by digest (no tag yet).
build:
name: Build (${{ matrix.name }})
runs-on: ${{ matrix.runner }}
permissions:
contents: read
packages: write
strategy:
fail-fast: false
matrix:
include:
- platform: linux/amd64
runner: ubuntu-24.04
name: amd64
- platform: linux/arm64
runner: ubuntu-24.04-arm
name: arm64
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push by digest
id: build
uses: docker/build-push-action@v7
with:
context: .
file: docker/Dockerfile
platforms: ${{ matrix.platform }}
outputs: type=image,name=ghcr.io/${{ github.repository }},push-by-digest=true,name-canonical=true,push=true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v7
with:
name: digest-${{ matrix.name }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
# Merge platform digests into a single multi-platform manifest and apply tags.
# - push to main (no release) → ghcr.io/.../postguard-business:edge
# - push to main (release) → ghcr.io/.../postguard-business:edge + :1.2.3
# - pull request → ghcr.io/.../postguard-business:pr-123
finalize:
name: Finalize Docker manifest
needs: [build, release-please]
if: always() && needs.build.result == 'success'
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # keyless cosign signing via OIDC
steps:
- name: Download digests
uses: actions/download-artifact@v8
with:
path: /tmp/digests
pattern: digest-*
merge-multiple: true
- name: Docker metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=edge,branch=main
type=ref,event=pr
type=raw,value=${{ needs.release-please.outputs.version }},enable=${{ needs.release-please.outputs.release_created == 'true' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create and push manifest
working-directory: /tmp/digests
run: |
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
# Sign only on pushes to main/releases — not PRs. Signing every PR would
# record throwaway pr-N images in the public Rekor transparency log and
# leave orphan .sig tags in GHCR. The cosign path was smoke-tested on the
# PR that introduced it (#118).
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3
- name: Sign the published image (keyless)
if: github.event_name != 'pull_request'
run: |
tag=$(jq -cr '.tags[0]' <<< "$DOCKER_METADATA_OUTPUT_JSON")
digest=$(docker buildx imagetools inspect "$tag" --format '{{.Manifest.Digest}}')
cosign sign --yes "ghcr.io/${{ github.repository }}@${digest}"
# Build the runtime image and scan it for OS/dependency vulnerabilities.
# Non-blocking for now (exit-code 0): findings surface in the Security tab.
# Flip exit-code to 1 to gate once the baseline is clean.
image-scan:
name: Image Scan
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build image (amd64) for scanning
uses: docker/build-push-action@v7
with:
context: .
file: docker/Dockerfile
platforms: linux/amd64
load: true
tags: postguard-business:scan
cache-from: type=gha
# Run Trivy from its official image rather than the GitHub Action, which
# had a supply-chain compromise advisory (GHSA-69fq-xp46-6x23).
- name: Trivy vulnerability scan
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD:/work" \
aquasec/trivy:0.72.0 image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--format sarif \
--output /work/trivy-results.sarif \
--exit-code 0 \
postguard-business:scan
- name: Upload Trivy results
if: hashFiles('trivy-results.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: trivy