veza/.github/workflows/frontend-ci.yml

name: Frontend CI

on:
    push:
        paths:
            - "apps/web/**"
            - "veza-backend-api/openapi.yaml"
            - "veza-backend-api/docs/swagger.yaml"
            - ".github/workflows/frontend-ci.yml"
    pull_request:
        paths:
            - "apps/web/**"
            - "veza-backend-api/openapi.yaml"
            - "veza-backend-api/docs/swagger.yaml"
            - ".github/workflows/frontend-ci.yml"

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    test:
        runs-on: ubuntu-latest

        defaults:
            run:
                working-directory: apps/web

        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Set up Node
              uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
              with:
                  node-version: "20"
                  cache: "npm"
                  cache-dependency-path: apps/web/package-lock.json

            - name: Install dependencies
              run: npm ci

            # v1.0.8 OpenAPI Phase 0 — prevents drift between
            # veza-backend-api/openapi.yaml and apps/web/src/types/generated/.
            # check-types-sync.sh regenerates then fails if git diff is non-empty.
            - name: Check OpenAPI types in sync
              run: bash scripts/check-types-sync.sh

            - name: Lint
              run: npm run lint

            - name: TypeScript check
              run: npx tsc --noEmit

            - name: Build
              run: npm run build

            - name: Bundle size gate
              run: node scripts/check-bundle-size.mjs

            - name: Audit dependencies
              run: npm audit --audit-level=critical

            - name: Run tests
              run: npm run test -- --run