vulcan/.github/workflows/ci.yml at 82e51e9641b0ed3759a8ccd24fb3c310e49c9991 · mitre/vulcan · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
name: CI

on:
  push:
    branches: [master]
    paths-ignore:
      - 'docs/**'
      - '*.md'
      - 'LICENSE'
      - '.github/workflows/docs.yml'
      - '.github/workflows/release.yml'
      - '.github/workflows/dependabot.yml'
  pull_request:
    branches: [master]
    paths-ignore:
      - 'docs/**'
      - '*.md'
      - 'LICENSE'
      - '.github/workflows/docs.yml'
      - '.github/workflows/release.yml'
      - '.github/workflows/dependabot.yml'

concurrency:
  group: ci-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  # ─── LINT + SECURITY ─────────────────────────────────────
  lint:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
      - uses: ruby/setup-ruby@e65c17d16e57e481586a6a5a0282698790062f92 # v1
        with:
          ruby-version: '.ruby-version'
          bundler-cache: true
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'
      - run: yarn install --frozen-lockfile
      - name: RuboCop
        run: bundle exec rubocop --parallel
      - name: ESLint
        run: yarn lint:ci
      - name: Brakeman
        run: bundle exec brakeman -q --no-pager
      - name: Bundle Audit
        run: bundle exec bundler-audit check --update

  # ─── FRONTEND TESTS + COVERAGE ───────────────────────────
  frontend:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'
      - run: yarn install --frozen-lockfile
      - name: Vitest with coverage
        run: yarn test:unit --coverage
      - name: Upload frontend coverage
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        if: always()
        with:
          name: coverage-frontend
          path: coverage/js
          retention-days: 5

  # ─── BACKEND TESTS + COVERAGE (6 shards) ─────────────────
  backend:
    runs-on: ubuntu-24.04
    timeout-minutes: 25
    permissions:
      contents: read
    strategy:
      fail-fast: true
      matrix:
        ci_node_index: [1, 2, 3, 4, 5, 6]

    services:
      db:
        image: postgres:18-alpine
        env:
          POSTGRES_USER: postgres
          POSTGRES_DB: vulcan_vue_test
          POSTGRES_HOST_AUTH_METHOD: trust
          POSTGRES_INITDB_ARGS: "--nosync"
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 500ms
          --health-timeout 3s
          --health-retries 20
      ldap:
        image: rroemhild/test-openldap
        ports:
          - 10389:10389

    env:
      # Application config (read by database.yml)
      DATABASE_HOST: localhost
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      # libpq vars (read by pg_isready, psql CLI tools)
      PGHOST: localhost
      PGUSER: postgres
      PGPASSWORD: postgres
      RAILS_ENV: test
      RUBY_YJIT_ENABLE: "1"
      CI: "true"
      # OIDC Testing — VULCAN_OIDC_* is the primary source;
      # spec/support/okta_test_config.rb falls back to these
      VULCAN_ENABLE_OIDC: "true"
      VULCAN_OIDC_DISCOVERY: "true"
      VULCAN_OIDC_ISSUER_URL: ${{ secrets.OKTA_TEST_ISSUER }}
      VULCAN_OIDC_CLIENT_ID: ${{ secrets.OKTA_TEST_CLIENT_ID }}
      VULCAN_OIDC_CLIENT_SECRET: ${{ secrets.OKTA_TEST_CLIENT_SECRET }}
      # LDAP Testing (rroemhild/test-openldap public defaults)
      VULCAN_ENABLE_LDAP: "true"
      VULCAN_LDAP_HOST: localhost
      VULCAN_LDAP_ATTRIBUTE: mail
      VULCAN_LDAP_BIND_DN: "cn=admin,dc=planetexpress,dc=com"
      VULCAN_LDAP_BASE: "ou=people,dc=planetexpress,dc=com"
      VULCAN_LDAP_PORT: "10389"
      VULCAN_LDAP_ADMIN_PASS: GoodNewsEveryone

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
      - uses: ruby/setup-ruby@e65c17d16e57e481586a6a5a0282698790062f92 # v1
        with:
          ruby-version: '.ruby-version'
          bundler-cache: true
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'
      - run: yarn install --frozen-lockfile
      - name: Install system dependencies
        run: sudo apt-get -yqq install libpq-dev

      - name: Cache JS build
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        id: js-cache
        with:
          path: app/assets/builds
          key: js-build-${{ hashFiles('app/javascript/**', 'yarn.lock', 'esbuild.config.js', 'package.json') }}
      - name: Build JavaScript assets
        if: steps.js-cache.outputs.cache-hit != 'true'
        run: yarn build

      - name: Setup database
        run: |
          bundle exec rails db:create
          bundle exec rails db:schema:load

      - name: Run backend tests (shard ${{ matrix.ci_node_index }}/6)
        run: |
          bundle exec parallel_rspec \
            -n 6 \
            --only-group ${{ matrix.ci_node_index }} \
            spec/

      - name: Upload backend coverage
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        if: always()
        with:
          name: coverage-shard-${{ matrix.ci_node_index }}
          path: coverage
          retention-days: 5

  # ─── GATE — single required status check for branch protection ───
  ci-gate:
    needs: [lint, frontend, backend]
    if: always()
    runs-on: ubuntu-24.04
    timeout-minutes: 2
    permissions:
      contents: read
    steps:
      - name: Check all jobs passed
        run: |
          results='${{ toJSON(needs.*.result) }}'
          if echo "$results" | grep -qE '"(failure|cancelled|skipped)"'; then
            echo "::error::One or more CI jobs failed, were cancelled, or were skipped"
            exit 1
          fi
          echo "All CI jobs passed"