GithubCICDChecker/.github/workflows/ci.yml at main · FabLrc/GithubCICDChecker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: CI

on:
  push:
    branches: [develop]
  pull_request:
    branches: [develop, main]

jobs:
  # ── Conventional Commits ──────────────────────────────────────────────────
  commit-lint:
    name: Conventional Commits
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Validate commit messages
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          pattern='^(feat|fix|docs|style|refactor|test|chore|ci|build|perf|revert)(\(.+\))?!?: .+'
          failed=0

          while IFS= read -r msg; do
            subject=$(echo "$msg" | head -1)
            # Allow system merge commits
            if echo "$subject" | grep -qE "^(Merge|Squashed|Revert)"; then
              echo "✅  \"$subject\" (merge)"
              continue
            fi
            if ! echo "$subject" | grep -qE "$pattern"; then
              echo "❌  \"$subject\""
              failed=1
            else
              echo "✅  \"$subject\""
            fi
          done < <(git log "$BASE_SHA..$HEAD_SHA" --pretty=format:'%s')

          if [ "$failed" -eq 1 ]; then
            echo ""
            echo "Un ou plusieurs commits ne respectent pas Conventional Commits."
            echo "Format attendu : type(scope)?: sujet"
            echo "Types autorisés : feat | fix | docs | style | refactor | test | chore | ci | build | perf | revert"
            echo "(Les commits de merge Merge/Squashed/Revert sont toujours acceptés)"
            exit 1
          fi

  # ── Formatting ────────────────────────────────────────────────────────────
  fmt:
    name: Format Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

      - name: Check formatting (rustfmt)
        run: cargo fmt -- --check

  # ── Linting ───────────────────────────────────────────────────────────────
  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: wasm32-unknown-unknown
          components: clippy

      - name: Cache Cargo registry & build
        uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: ${{ runner.os }}-cargo-clippy-

      - name: Run Clippy
        run: cargo clippy --target wasm32-unknown-unknown -- -D warnings

  # ── Build + Test — matrix (stable & beta) ────────────────────────────────
  build:
    name: Build (${{ matrix.rust }})
    runs-on: ubuntu-latest
    strategy:
      matrix:
        rust: [stable, beta]
      fail-fast: false
    steps:
      - uses: actions/checkout@v6

      - uses: dtolnay/rust-toolchain@master
        with:
          toolchain: ${{ matrix.rust }}
          targets: wasm32-unknown-unknown

      - name: Cache Cargo registry & build
        uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-cargo-${{ matrix.rust }}-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: ${{ runner.os }}-cargo-${{ matrix.rust }}-

      - name: Build
        run: cargo build --target wasm32-unknown-unknown

      # Compile the test suite (wasm32 tests run in browser; we verify they
      # at least compile correctly in CI without a headless browser driver)
      - name: Verify test compilation
        run: cargo test --target wasm32-unknown-unknown --no-run

  # ── Security Audit ────────────────────────────────────────────────────────
  security:
    name: Security Audit (cargo-audit)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - uses: dtolnay/rust-toolchain@stable

      - name: Cache Cargo registry
        uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
          key: ${{ runner.os }}-cargo-audit-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: ${{ runner.os }}-cargo-audit-

      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: Run security audit
        run: cargo audit