| 1 | name: CI |
| 2 | |
| 3 | on: |
| 4 | pull_request: |
| 5 | push: |
| 6 | branches: [ main ] |
| 7 | |
| 8 | jobs: |
| 9 | scan_ruby: |
| 10 | runs-on: ubuntu-latest |
| 11 | |
| 12 | steps: |
| 13 | - name: Checkout code |
| 14 | uses: actions/checkout@v6 |
| 15 | |
| 16 | - name: Set up Ruby |
| 17 | uses: ruby/setup-ruby@v1 |
| 18 | with: |
| 19 | bundler-cache: true |
| 20 | |
| 21 | - name: Scan for common Rails security vulnerabilities using static analysis |
| 22 | run: bin/brakeman --no-pager |
| 23 | |
| 24 | - name: Scan for known security vulnerabilities in gems used |
| 25 | run: bin/bundler-audit |
| 26 | |
| 27 | scan_js: |
| 28 | runs-on: ubuntu-latest |
| 29 | |
| 30 | steps: |
| 31 | - name: Checkout code |
| 32 | uses: actions/checkout@v6 |
| 33 | |
| 34 | - name: Set up Ruby |
| 35 | uses: ruby/setup-ruby@v1 |
| 36 | with: |
| 37 | bundler-cache: true |
| 38 | |
| 39 | - name: Scan for security vulnerabilities in JavaScript dependencies |
| 40 | run: bin/importmap audit |
| 41 | |
| 42 | lint: |
| 43 | runs-on: ubuntu-latest |
| 44 | env: |
| 45 | RUBOCOP_CACHE_ROOT: tmp/rubocop |
| 46 | steps: |
| 47 | - name: Checkout code |
| 48 | uses: actions/checkout@v6 |
| 49 | |
| 50 | - name: Set up Ruby |
| 51 | uses: ruby/setup-ruby@v1 |
| 52 | with: |
| 53 | bundler-cache: true |
| 54 | |
| 55 | - name: Prepare RuboCop cache |
| 56 | uses: actions/cache@v4 |
| 57 | env: |
| 58 | DEPENDENCIES_HASH: ${{ hashFiles('.ruby-version', '**/.rubocop.yml', '**/.rubocop_todo.yml', 'Gemfile.lock') }} |
| 59 | with: |
| 60 | path: ${{ env.RUBOCOP_CACHE_ROOT }} |
| 61 | key: rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-${{ github.ref_name == github.event.repository.default_branch && github.run_id || 'default' }} |
| 62 | restore-keys: | |
| 63 | rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}- |
| 64 | |
| 65 | - name: Lint code for consistent style |
| 66 | run: bin/rubocop -f github |
| 67 | |
| 68 | test: |
| 69 | runs-on: ubuntu-latest |
| 70 | |
| 71 | services: |
| 72 | postgres: |
| 73 | image: postgres:16 |
| 74 | env: |
| 75 | POSTGRES_USER: postgres |
| 76 | POSTGRES_PASSWORD: postgres |
| 77 | ports: |
| 78 | - 5432:5432 |
| 79 | options: >- |
| 80 | --health-cmd "pg_isready -U postgres" |
| 81 | --health-interval 10s |
| 82 | --health-timeout 5s |
| 83 | --health-retries 5 |
| 84 | |
| 85 | env: |
| 86 | RAILS_ENV: test |
| 87 | DATABASE_URL: postgres://postgres:postgres@localhost:5432/sigitsi_test |
| 88 | # The app reads secret_key_base from ENV (see .env.example); credentials |
| 89 | # are not read at boot, so a dummy key is enough to boot in test. |
| 90 | SECRET_KEY_BASE: dummy-secret-key-base-for-ci |
| 91 | |
| 92 | steps: |
| 93 | - name: Checkout code |
| 94 | uses: actions/checkout@v6 |
| 95 | |
| 96 | # libvips (+ librsvg and a font) lets the Open Graph card endpoint render |
| 97 | # real PNGs in CI, matching production rather than the static fallback. |
| 98 | - name: Install libvips for Open Graph image rendering |
| 99 | run: | |
| 100 | sudo apt-get update |
| 101 | sudo apt-get install -y --no-install-recommends libvips librsvg2-2 fonts-dejavu-core |
| 102 | |
| 103 | - name: Set up Ruby |
| 104 | uses: ruby/setup-ruby@v1 |
| 105 | with: |
| 106 | bundler-cache: true |
| 107 | |
| 108 | - name: Prepare the test database |
| 109 | run: bin/rails db:test:prepare |
| 110 | |
| 111 | - name: Build Tailwind CSS |
| 112 | run: bin/rails tailwindcss:build |
| 113 | |
| 114 | - name: Run RSpec |
| 115 | run: bundle exec rspec |
| 116 |