-
Notifications
You must be signed in to change notification settings - Fork 0
73 lines (68 loc) · 2.58 KB
/
Copy pathci.yml
File metadata and controls
73 lines (68 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
# Pinning action SHAs follows the same convention as tpsdev-ai/cli and
# tpsdev-ai/flair: prevents a compromised tag from running arbitrary code.
# The trailing `# v<X>` comment is the human-readable version reference.
#
# `sfw bun install` wraps install with Socket Firewall — an ephemeral
# HTTP proxy that blocks known-malicious packages before they're fetched.
# Complements bunfig.toml's minimumReleaseAge: age-gate catches the
# "compromised, not yet detected" window, sfw catches confirmed malware
# regardless of age. Belt + suspenders.
jobs:
build:
name: Build (TypeScript strict)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
with:
bun-version: "1.3.10"
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "22"
- uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- name: Check workspace internal-dep lockstep
# Catches the bug shape where a workspace package declares an
# internal @tpsdev-ai/* dep at a version different from what it
# ships. Local dev hides it (bun symlinks); consumers don't.
run: node scripts/check-workspace-deps.mjs
- run: sfw bun install --frozen-lockfile
- run: bun run lint
- run: bun run typecheck
- run: bun run build
test:
name: Unit Tests
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
with:
bun-version: "1.3.10"
- uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw bun install --frozen-lockfile
- run: bun run build
- run: bun run test
audit:
name: Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
with:
bun-version: "1.3.10"
- uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free
- run: sfw bun install --frozen-lockfile
- name: Check for known vulnerabilities
run: bun audit