feat: improved GitHub Actions marketplace integration #24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| typecheck: | |
| name: Type Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Type check | |
| run: npx tsc --noEmit | |
| test: | |
| name: Test (Node ${{ matrix.node-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: ['18', '20', '22'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run tests | |
| run: npm test | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [typecheck, test] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| - name: Verify CLI runs | |
| run: node dist/cli/index.js --help | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| retention-days: 7 | |
| integration-test: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| - name: Test vulnerable example (should find issues) | |
| run: | | |
| set +e | |
| node dist/cli/index.js examples/next-vulnerable --json > /tmp/vuln-result.json | |
| EXIT_CODE=$? | |
| if [ $EXIT_CODE -ne 1 ]; then | |
| echo "Expected exit code 1 for vulnerable project, got $EXIT_CODE" | |
| exit 1 | |
| fi | |
| if ! grep -q '"vulnerable": true' /tmp/vuln-result.json; then | |
| echo "Expected vulnerable: true in output" | |
| cat /tmp/vuln-result.json | |
| exit 1 | |
| fi | |
| echo "✓ Vulnerable example correctly detected" | |
| - name: Test patched example (should be clean) | |
| run: | | |
| node dist/cli/index.js examples/next-patched --json > /tmp/patched-result.json | |
| if ! grep -q '"vulnerable": false' /tmp/patched-result.json; then | |
| echo "Expected vulnerable: false in output" | |
| cat /tmp/patched-result.json | |
| exit 1 | |
| fi | |
| echo "✓ Patched example correctly passed" | |
| - name: Test client-only example (should be clean) | |
| run: | | |
| node dist/cli/index.js examples/react-client-only --json > /tmp/client-result.json | |
| if ! grep -q '"vulnerable": false' /tmp/client-result.json; then | |
| echo "Expected vulnerable: false in output" | |
| cat /tmp/client-result.json | |
| exit 1 | |
| fi | |
| echo "✓ Client-only example correctly passed" | |
| - name: Test SARIF output | |
| run: | | |
| node dist/cli/index.js examples/next-vulnerable --sarif --no-exit-on-vuln > /tmp/sarif-result.json | |
| if ! grep -q '"version": "2.1.0"' /tmp/sarif-result.json; then | |
| echo "Expected SARIF 2.1.0 format" | |
| exit 1 | |
| fi | |
| echo "✓ SARIF output format correct" | |
| self-scan: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| - name: Self-scan (should pass - we're not vulnerable) | |
| run: node dist/cli/index.js . --ignore-path examples |