139 lines
3.9 KiB
YAML
139 lines
3.9 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main, int, dev]
|
|
|
|
concurrency:
|
|
group: print-calculator-pr-${{ gitea.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
prettier-autofix:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup Node 22
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: "22"
|
|
|
|
- name: Apply formatting with Prettier
|
|
shell: bash
|
|
run: |
|
|
npx --yes prettier@3.6.2 --write \
|
|
"frontend/src/**/*.{ts,html,scss,css,json}" \
|
|
".gitea/workflows/*.{yml,yaml}"
|
|
|
|
- name: Commit and push formatting changes
|
|
shell: bash
|
|
run: |
|
|
if git diff --quiet; then
|
|
echo "No formatting changes to commit."
|
|
exit 0
|
|
fi
|
|
|
|
if ! command -v jq >/dev/null 2>&1; then
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends jq
|
|
fi
|
|
|
|
EVENT_FILE="${GITHUB_EVENT_PATH:-}"
|
|
if [[ -z "$EVENT_FILE" || ! -f "$EVENT_FILE" ]]; then
|
|
echo "Event payload not found, skipping auto-push."
|
|
exit 0
|
|
fi
|
|
|
|
HEAD_REPO="$(jq -r '.pull_request.head.repo.full_name // empty' "$EVENT_FILE")"
|
|
BASE_REPO="$(jq -r '.repository.full_name // empty' "$EVENT_FILE")"
|
|
PR_BRANCH="$(jq -r '.pull_request.head.ref // empty' "$EVENT_FILE")"
|
|
|
|
if [[ -z "$PR_BRANCH" ]]; then
|
|
echo "PR branch not found in event payload, skipping auto-push."
|
|
exit 0
|
|
fi
|
|
|
|
if [[ -n "$HEAD_REPO" && -n "$BASE_REPO" && "$HEAD_REPO" != "$BASE_REPO" ]]; then
|
|
echo "PR from fork ($HEAD_REPO), skipping auto-push."
|
|
exit 0
|
|
fi
|
|
|
|
git config user.name "printcalc-ci"
|
|
git config user.email "ci@printcalculator.local"
|
|
|
|
git add frontend/src .gitea/workflows
|
|
git commit -m "style: apply prettier formatting"
|
|
git push origin "HEAD:${PR_BRANCH}"
|
|
|
|
security-sast:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Python and Semgrep
|
|
shell: bash
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends python3 python3-pip
|
|
python3 -m pip install --upgrade pip
|
|
python3 -m pip install semgrep
|
|
|
|
- name: Run Semgrep (SAST)
|
|
shell: bash
|
|
run: |
|
|
semgrep --version
|
|
semgrep --config auto --error \
|
|
--exclude frontend/node_modules \
|
|
--exclude backend/build \
|
|
backend/src frontend/src
|
|
|
|
- name: Install Gitleaks
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
VERSION="8.24.2"
|
|
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
|
|
-o /tmp/gitleaks.tar.gz
|
|
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
|
|
install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks
|
|
gitleaks version
|
|
|
|
- name: Run Gitleaks (secrets scan)
|
|
shell: bash
|
|
run: |
|
|
set +e
|
|
gitleaks detect --source . --no-git --redact --exit-code 1 \
|
|
--report-format json --report-path /tmp/gitleaks-report.json
|
|
rc=$?
|
|
if [[ $rc -ne 0 ]]; then
|
|
echo "Gitleaks findings:"
|
|
cat /tmp/gitleaks-report.json
|
|
fi
|
|
exit $rc
|
|
|
|
test-backend:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up JDK 21
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
java-version: "21"
|
|
distribution: "temurin"
|
|
cache: gradle
|
|
|
|
- name: Run Tests with Gradle
|
|
run: |
|
|
cd backend
|
|
chmod +x gradlew
|
|
./gradlew test
|