100 lines
3.2 KiB
YAML
100 lines
3.2 KiB
YAML
name: CI - Build & Test
|
|
run-name: 🔍 CI ${{ gitea.ref_name }} by @${{ gitea.actor }}
|
|
|
|
# ── Concurrency: cancel in-progress CI when new push arrives ──
|
|
concurrency:
|
|
group: ci-${{ gitea.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
# ─── Backend ───────────────────────────────────
|
|
backend:
|
|
name: Backend (.NET)
|
|
runs-on: linux
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET SDK
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore
|
|
run: dotnet restore backend-tests/Nexus.Api.Tests.csproj
|
|
|
|
- name: Build
|
|
run: dotnet build backend-tests/Nexus.Api.Tests.csproj --no-restore --configuration Release
|
|
|
|
- name: Test
|
|
run: dotnet test backend-tests/Nexus.Api.Tests.csproj --no-build --configuration Release --verbosity normal
|
|
|
|
# ─── Frontend ──────────────────────────────────
|
|
frontend:
|
|
name: Frontend (Vue/TS)
|
|
runs-on: linux
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '24'
|
|
|
|
- name: Setup pnpm
|
|
run: |
|
|
corepack enable
|
|
corepack prepare pnpm@latest --activate
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
working-directory: frontend
|
|
|
|
- name: Type check
|
|
run: pnpm exec vue-tsc --noEmit
|
|
working-directory: frontend
|
|
|
|
- name: Test
|
|
run: pnpm test
|
|
working-directory: frontend
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
working-directory: frontend
|
|
|
|
# ─── Security ──────────────────────────────────
|
|
security:
|
|
name: Security Check
|
|
runs-on: linux
|
|
if: github.ref == 'refs/heads/main'
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Check for .env leaks
|
|
run: |
|
|
echo "🔍 Scanning for potential secrets in source code..."
|
|
HITS=$(grep -rPn "(API_KEY|SECRET|PASSWORD|TOKEN)\s*[:=]\s*['\"][^'\"]{8,}" --include="*.cs" --include="*.ts" --include="*.vue" backend/ frontend/src/ 2>/dev/null || true)
|
|
if [ -n "$HITS" ]; then
|
|
echo "❌ SECRET LEAK DETECTED — the following lines look like hardcoded credentials:"
|
|
echo "$HITS"
|
|
echo ""
|
|
echo "Remove these values and use environment variables or a secrets manager instead."
|
|
exit 1
|
|
fi
|
|
# Secondary pass: catch bare assign patterns that are suspicious regardless of length
|
|
LOOSE=$(grep -rPn "(API_KEY|SECRET|PASSWORD|TOKEN)\s*[:=]\s*['\"]" --include="*.cs" --include="*.ts" --include="*.vue" backend/ frontend/src/ 2>/dev/null || true)
|
|
if [ -n "$LOOSE" ]; then
|
|
echo "⚠️ WARNING — potential secrets found (short values may be false positives, review manually):"
|
|
echo "$LOOSE"
|
|
else
|
|
echo "✅ No obvious secrets found"
|
|
fi
|