forked from Ninjalama/streamyfin_mirror
105 lines
3.0 KiB
YAML
105 lines
3.0 KiB
YAML
name: 🚦 Security & Quality Gate
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, edited, synchronize, reopened]
|
|
branches: [develop, master]
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
validate_pr_title:
|
|
name: "📝 Validate PR Title"
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
pull-requests: write
|
|
contents: read
|
|
steps:
|
|
- uses: amannn/action-semantic-pull-request@v5.5.3
|
|
id: lint_pr_title
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- uses: marocchino/sticky-pull-request-comment@v2.9.2
|
|
if: always() && (steps.lint_pr_title.outputs.error_message != null)
|
|
with:
|
|
header: pr-title-lint-error
|
|
message: |
|
|
Hey there and thank you for opening this pull request! 👋🏼
|
|
We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/).
|
|
|
|
**Error details:**
|
|
```
|
|
${{ steps.lint_pr_title.outputs.error_message }}
|
|
```
|
|
|
|
- if: ${{ steps.lint_pr_title.outputs.error_message == null }}
|
|
uses: marocchino/sticky-pull-request-comment@v2.9.2
|
|
with:
|
|
header: pr-title-lint-error
|
|
delete: true
|
|
|
|
dependency-review:
|
|
name: 🔍 Vulnerable Dependencies
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@v4.2.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
fetch-depth: 0
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@v4.7.1
|
|
with:
|
|
fail-on-severity: high
|
|
deny-licenses: GPL-3.0, AGPL-3.0
|
|
base-ref: ${{ github.event.pull_request.base.sha || 'develop' }}
|
|
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
|
|
|
code_quality:
|
|
name: "🔍 Lint & Test (${{ matrix.command }})"
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
command:
|
|
- "lint"
|
|
- "check"
|
|
steps:
|
|
- name: "📥 Checkout PR code"
|
|
uses: actions/checkout@v4.2.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
submodules: recursive
|
|
fetch-depth: 0
|
|
|
|
- name: "🟢 Setup Node.js"
|
|
uses: actions/setup-node@v4.4.0
|
|
with:
|
|
node-version: '20.x'
|
|
cache: bun
|
|
|
|
- name: "🍞 Setup Bun"
|
|
uses: oven-sh/setup-bun@v2.0.2
|
|
with:
|
|
# @todo: update to 1.x once this is fixed: https://github.com/streamyfin/streamyfin/pull/690#discussion_r2089749689
|
|
bun-version: '1.2.13'
|
|
|
|
- name: 💾 Cache Bun dependencies
|
|
uses: actions/cache@v4.2.3
|
|
with:
|
|
path: |
|
|
~/.bun/install/cache
|
|
key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
|
|
|
|
- name: "📦 Install dependencies"
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: "🚨 Run ${{ matrix.command }}"
|
|
run: bun run ${{ matrix.command }}
|