Skip to content
.github/workflows/ci-enhanced.yml

ci: disable all cron schedules to stop burning Actions minutes #402

Sign in to view logs

ci: disable all cron schedules to stop burning Actions minutes

ci: disable all cron schedules to stop burning Actions minutes #402

Workflow file for this run

.github/workflows/ci-enhanced.yml at 0e61841
name: CI/CD Enhanced
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
env:
PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
REGION: us-central1
NODE_VERSION: '20'
REGISTRY: us-central1-docker.pkg.dev
jobs:
# =============================================================================
# Security & Quality Gates
# =============================================================================
security:
name: Security Checks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Verify .env Files Are Gitignored
run: |
if ! grep -q "^\.env$" .gitignore; then
echo "::error::.env is not in .gitignore"
exit 1
fi
# Check for any tracked .env files (excluding .env.example, .env.template)
if git ls-files | grep -E "(^|/)\.env$" | grep -v -E "\.(example|template|sample)$"; then
echo "::error::Found tracked .env files"
exit 1
fi
# Also check for environment-specific files
if git ls-files | grep -E "\.(env\.local|env\.dev|env\.prod|env\.staging)$"; then
echo "::error::Found tracked environment files"
exit 1
fi
- name: Check for exposed secrets in code
run: |
# Check for common secret patterns
if grep -r "AKIA[0-9A-Z]{16}" --include="*.ts" --include="*.js" .; then
echo "::error::Found AWS access key pattern"
exit 1
fi
if grep -r "sk-[a-zA-Z0-9]{48}" --include="*.ts" --include="*.js" .; then
echo "::error::Found OpenAI API key pattern"
exit 1
fi
- name: Dependency Vulnerability Scan
run: npm audit --audit-level=high || true
# =============================================================================
# Lint & Type Check
# =============================================================================
lint:
name: Lint & Type Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Cache node_modules
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
id: cache-deps
with:
path: |
node_modules
packages/*/node_modules
apps/*/node_modules
key: ${{ runner.os }}-node-${{ env.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-${{ env.NODE_VERSION }}-
- name: Install dependencies
if: steps.cache-deps.outputs.cache-hit != 'true'
run: npm ci
- name: ESLint
run: npm run lint
continue-on-error: false
- name: TypeScript Type Check
run: npm run typecheck
- name: Format Check
run: |
if command -v prettier &> /dev/null; then
npx prettier --check "**/*.{ts,tsx,js,jsx,json,md}"
else
echo "Prettier not configured, skipping"
fi
# =============================================================================
# Build
# =============================================================================
build:
name: Build
runs-on: ubuntu-latest
needs: [security, lint]
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Cache node_modules
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
id: cache-deps
with:
path: |
node_modules
packages/*/node_modules
apps/*/node_modules
key: ${{ runner.os }}-node-${{ env.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
- name: Install dependencies
if: steps.cache-deps.outputs.cache-hit != 'true'
run: npm ci
- name: Cache Turbo
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: .turbo
key: ${{ runner.os }}-turbo-build-${{ github.sha }}
restore-keys: |
${{ runner.os }}-turbo-build-
- name: Build
run: npm run build
- name: Upload build artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: dist
path: |
packages/*/dist
apps/*/dist
retention-days: 7
# =============================================================================
# ARV (Agent Readiness Verification)
# =============================================================================
arv:
name: ARV Checks
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Cache node_modules
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
node_modules
packages/*/node_modules
apps/*/node_modules
key: ${{ runner.os }}-node-${{ env.NODE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
- name: Install dependencies
run: npm ci
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: dist
- name: ARV Lint (Forbidden Patterns)
run: npm run arv:lint || true
- name: ARV Contracts (Schema Validation)
run: npm run arv:contracts || true
- name: ARV Goldens (Deterministic Outputs)
run: npm run arv:goldens || true
- name: ARV Smoke (Boot Check)
run: npm run arv:smoke || true
# =============================================================================
# Integration with Existing CI (call test workflow)
# =============================================================================
tests:
name: Run Tests
uses: ./.github/workflows/test.yml

Check failure on line 214 in .github/workflows/ci-enhanced.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/ci-enhanced.yml

Invalid workflow file 

error parsing called workflow
".github/workflows/ci-enhanced.yml"
-> "./.github/workflows/test.yml" (source branch with sha:0e6184179e6768ee320690c4507352518caf2790)
: workflow is not reusable as it is missing a `on.workflow_call` trigger
needs: build
# =============================================================================
# Build Status Check
# =============================================================================
status:
name: CI Status
runs-on: ubuntu-latest
needs: [security, lint, build, arv, tests]
if: always()
steps:
- name: Check all jobs status
run: |
if [ "${{ needs.security.result }}" != "success" ]; then
echo "::error::Security checks failed"
exit 1
fi
if [ "${{ needs.lint.result }}" != "success" ]; then
echo "::error::Lint checks failed"
exit 1
fi
if [ "${{ needs.build.result }}" != "success" ]; then
echo "::error::Build failed"
exit 1
fi
if [ "${{ needs.tests.result }}" != "success" ]; then
echo "::error::Tests failed"
exit 1
fi
echo "✅ All CI checks passed!"
- name: Update commit status
if: always()
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
script: |
const state = '${{ needs.tests.result }}' === 'success' &&
'${{ needs.build.result }}' === 'success' &&
'${{ needs.lint.result }}' === 'success' &&
'${{ needs.security.result }}' === 'success'
? 'success' : 'failure';
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: context.sha,
state: state,
context: 'CI/CD Enhanced',
description: state === 'success' ? 'All checks passed' : 'Some checks failed'
});