main
yml 116 lines 3.07 KB
Raw
1 name: CI
2
3 on:
4 pull_request:
5 push:
6 branches: [ main ]
7
8 jobs:
9 scan_ruby:
10 runs-on: ubuntu-latest
11
12 steps:
13 - name: Checkout code
14 uses: actions/checkout@v6
15
16 - name: Set up Ruby
17 uses: ruby/setup-ruby@v1
18 with:
19 bundler-cache: true
20
21 - name: Scan for common Rails security vulnerabilities using static analysis
22 run: bin/brakeman --no-pager
23
24 - name: Scan for known security vulnerabilities in gems used
25 run: bin/bundler-audit
26
27 scan_js:
28 runs-on: ubuntu-latest
29
30 steps:
31 - name: Checkout code
32 uses: actions/checkout@v6
33
34 - name: Set up Ruby
35 uses: ruby/setup-ruby@v1
36 with:
37 bundler-cache: true
38
39 - name: Scan for security vulnerabilities in JavaScript dependencies
40 run: bin/importmap audit
41
42 lint:
43 runs-on: ubuntu-latest
44 env:
45 RUBOCOP_CACHE_ROOT: tmp/rubocop
46 steps:
47 - name: Checkout code
48 uses: actions/checkout@v6
49
50 - name: Set up Ruby
51 uses: ruby/setup-ruby@v1
52 with:
53 bundler-cache: true
54
55 - name: Prepare RuboCop cache
56 uses: actions/cache@v4
57 env:
58 DEPENDENCIES_HASH: ${{ hashFiles('.ruby-version', '**/.rubocop.yml', '**/.rubocop_todo.yml', 'Gemfile.lock') }}
59 with:
60 path: ${{ env.RUBOCOP_CACHE_ROOT }}
61 key: rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-${{ github.ref_name == github.event.repository.default_branch && github.run_id || 'default' }}
62 restore-keys: |
63 rubocop-${{ runner.os }}-${{ env.DEPENDENCIES_HASH }}-
64
65 - name: Lint code for consistent style
66 run: bin/rubocop -f github
67
68 test:
69 runs-on: ubuntu-latest
70
71 services:
72 postgres:
73 image: postgres:16
74 env:
75 POSTGRES_USER: postgres
76 POSTGRES_PASSWORD: postgres
77 ports:
78 - 5432:5432
79 options: >-
80 --health-cmd "pg_isready -U postgres"
81 --health-interval 10s
82 --health-timeout 5s
83 --health-retries 5
84
85 env:
86 RAILS_ENV: test
87 DATABASE_URL: postgres://postgres:postgres@localhost:5432/sigitsi_test
88 # The app reads secret_key_base from ENV (see .env.example); credentials
89 # are not read at boot, so a dummy key is enough to boot in test.
90 SECRET_KEY_BASE: dummy-secret-key-base-for-ci
91
92 steps:
93 - name: Checkout code
94 uses: actions/checkout@v6
95
96 # libvips (+ librsvg and a font) lets the Open Graph card endpoint render
97 # real PNGs in CI, matching production rather than the static fallback.
98 - name: Install libvips for Open Graph image rendering
99 run: |
100 sudo apt-get update
101 sudo apt-get install -y --no-install-recommends libvips librsvg2-2 fonts-dejavu-core
102
103 - name: Set up Ruby
104 uses: ruby/setup-ruby@v1
105 with:
106 bundler-cache: true
107
108 - name: Prepare the test database
109 run: bin/rails db:test:prepare
110
111 - name: Build Tailwind CSS
112 run: bin/rails tailwindcss:build
113
114 - name: Run RSpec
115 run: bundle exec rspec
116