senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
veza/.github/workflows/ci.yml
senke af4893e684 fix(ci): harden CI pipeline -- remove || true, fix versions 
- Remove all `|| true` from govulncheck, cargo audit, npm audit,
  lint, and format check steps (was masking real failures)
- Remove `continue-on-error: true` from stream-server build step
- Fix Go version mismatch: CI 1.21 -> 1.23 (matches go.mod 1.23.8)
- Upgrade Node.js from 18 to 20 (current LTS)
- Replace deprecated actions-rs/toolchain@v1 with dtolnay/rust-toolchain@stable
- Upgrade all GitHub Actions to v4/v5 (checkout, setup-go, setup-node, cache)
- Make gofmt check fail properly on unformatted files

Addresses audit findings: A05 (Security Misconfiguration), A08 (Software
& Data Integrity), debt item 5 (CI || true everywhere).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-11 22:39:40 +01:00

177 lines
4 KiB
YAML
Raw Blame History

name: Veza CI/CD
on:
push:
branches: [ "main", "remediation/*", "feature/mvp-complete" ]
pull_request:
branches: [ "main", "feature/mvp-complete" ]
workflow_dispatch: # Allow manual trigger
jobs:
backend-go:
name: Backend (Go)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
cache: true
- name: Install dependencies
run: |
cd veza-backend-api
go mod download
- name: Run govulncheck
run: |
cd veza-backend-api
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Vet
run: |
cd veza-backend-api
go vet ./...
- name: Lint
run: |
cd veza-backend-api
test -z "$(gofmt -l .)" || (echo "gofmt needed on:"; gofmt -l .; exit 1)
- name: Test
run: |
cd veza-backend-api
# Running tests excluding those that require DB connection for now
go test -v ./internal/handlers/... ./internal/services/... -short
- name: Build
run: |
cd veza-backend-api
go build -v ./...
rust-services:
name: Rust Services (Chat & Stream)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Rust
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- name: Cache Cargo registry
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- name: Check Formatting
run: cargo fmt --all -- --check
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Auditing Chat Server
run: |
cd veza-chat-server
cargo audit
- name: Auditing Stream Server
run: |
cd veza-stream-server
cargo audit
- name: Build Chat Server
run: |
cd veza-chat-server
cargo check
cargo build --verbose
- name: Build Stream Server
# TODO(C7): fix stream-server compilation if this fails
run: |
cd veza-stream-server
cargo check
- name: Test Chat Server
run: |
cd veza-chat-server
cargo test --verbose
frontend:
name: Frontend (Web)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: apps/web/package-lock.json
- name: Install Dependencies
run: |
cd apps/web
npm ci
- name: Security audit
run: |
cd apps/web
npm audit --audit-level=high
- name: Cache Generated Types
uses: actions/cache@v4
with:
path: apps/web/src/types/generated
key: ${{ runner.os }}-generated-types-${{ hashFiles('veza-backend-api/openapi.yaml') }}
restore-keys: |
${{ runner.os }}-generated-types-
- name: Generate Types from OpenAPI
run: |
cd apps/web
chmod +x scripts/generate-types.sh
./scripts/generate-types.sh
continue-on-error: false
# This step ensures types are generated before typecheck
# If types don't match spec, CI will fail
# Cache keyed on openapi.yaml hash, so types regenerate when spec changes
- name: Lint
run: |
cd apps/web
npm run lint --if-present
- name: Format Check
run: |
cd apps/web
npm run format:check --if-present
- name: Type Check
run: |
cd apps/web
npm run typecheck
- name: Unit Tests
run: |
cd apps/web
npm run test -- --run
- name: Contrast Tests
run: |
cd apps/web
npm run test -- --run src/__tests__/contrast.test.ts
- name: Build
run: |
cd apps/web
npm run build
Reference in a new issue View git blame Copy permalink