ci: bump trufflesecurity/trufflehog from c563a0692fa2017ff949d219cc9f586293d41e66 to d411fff7b8879a62509f3fa98c07f247ac089a51 #604
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Championship CI/CD | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| NODE_VERSION: '22.x' | |
| BUN_VERSION: '1.3.13' | |
| jobs: | |
| # Security Check | |
| security: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: NPM Audit | |
| run: npm audit --audit-level=moderate --omit=dev | |
| - name: Check for secrets | |
| uses: trufflesecurity/trufflehog@d411fff7b8879a62509f3fa98c07f247ac089a51 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| # Primary Test Suite — Bun | |
| # Windows excluded: bunx tests timeout on Windows CI (Node smoke test covers Windows) | |
| test: | |
| name: Bun Test Suite | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint code | |
| run: npm run lint | |
| continue-on-error: true # lint surfaces issues, doesn't block tests/build | |
| - name: Build TypeScript | |
| run: npm run build | |
| - name: Run tests (bun) | |
| run: bun test --timeout=120000 | |
| - name: Test CLI functionality | |
| run: | | |
| node dist/cli.js --help | |
| node dist/cli.js --version | |
| - name: Test project detection | |
| shell: bash | |
| run: | | |
| node dist/cli.js init --force --output test.faf | |
| ls -la test.faf | |
| head -10 test.faf | |
| node dist/cli.js score test.faf | |
| node dist/cli.js check test.faf | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v6 | |
| if: matrix.os == 'ubuntu-latest' | |
| with: | |
| name: dist-files | |
| path: dist/ | |
| # Node Smoke Test — npx users still work | |
| node-compat: | |
| name: Node Smoke Test | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node: [18.x, 20.x, 22.x] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - name: Setup Node.js ${{ matrix.node }} | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build TypeScript | |
| run: npm run build | |
| - name: CLI smoke test | |
| run: | | |
| node dist/cli.js --version | |
| node dist/cli.js --help | |
| node dist/cli.js init --force --output test.faf | |
| node dist/cli.js score test.faf | |
| node dist/cli.js check test.faf | |
| # Pack-and-install smoke test — catches the v6.3.0 class of bug where | |
| # the local build works but the published tarball crashes for end users. | |
| # Tests the actual user experience: `npm install -g <tarball>` + `faf info`. | |
| - name: Packed-tarball smoke test | |
| run: | | |
| set -euo pipefail | |
| TARBALL_DIR=$(mktemp -d) | |
| npm pack --pack-destination "$TARBALL_DIR" >/dev/null | |
| TARBALL=$(ls "$TARBALL_DIR"/faf-cli-*.tgz | head -1) | |
| echo "::group::Tarball contents" | |
| tar -tzf "$TARBALL" | head -20 | |
| echo "::endgroup::" | |
| # Install globally from the tarball into a fresh prefix | |
| INSTALL_PREFIX=$(mktemp -d) | |
| npm install --prefix "$INSTALL_PREFIX" --no-save --no-audit --no-fund "$TARBALL" | |
| # Run the binary from that fresh install — this is what users get | |
| BIN="$INSTALL_PREFIX/node_modules/.bin/faf" | |
| # Assert --version matches package.json (catches stale hardcoded VERSION constants) | |
| EXPECTED=$(node -p "require('./package.json').version") | |
| ACTUAL=$("$BIN" --version) | |
| if [ "$EXPECTED" != "$ACTUAL" ]; then | |
| echo "::error::Version mismatch from packed tarball — expected '$EXPECTED', got '$ACTUAL'" | |
| exit 1 | |
| fi | |
| echo "✓ faf --version: $ACTUAL" | |
| echo "::group::faf info" | |
| "$BIN" info | |
| echo "::endgroup::" | |
| # Code Quality | |
| quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint | |
| continue-on-error: true # lint surfaces issues, doesn't gate the badge | |
| - name: Format Check | |
| run: npm run format -- --check | |
| continue-on-error: true | |
| # TAF - Testing Activity Feed | |
| taf: | |
| name: TAF Receipt | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| - name: Run Tests and Capture Output | |
| run: bun test --timeout=120000 2>&1 | tee /tmp/test-output.txt | |
| - name: Convert Bun output to Jest format for TAF | |
| run: | | |
| # Extract bun test summary (e.g., " 1232 pass", " 0 fail") | |
| passed=$(grep -oP '^\s*\K\d+(?=\s+pass)' /tmp/test-output.txt || echo "0") | |
| failed=$(grep -oP '^\s*\K\d+(?=\s+fail)' /tmp/test-output.txt || echo "0") | |
| total=$((passed + failed)) | |
| # Append Jest-compatible summary line for TAF parser | |
| echo "" >> /tmp/test-output.txt | |
| if [ "$failed" -gt 0 ]; then | |
| echo "Tests: $failed failed, $passed passed, $total total" >> /tmp/test-output.txt | |
| else | |
| echo "Tests: $passed passed, $total total" >> /tmp/test-output.txt | |
| fi | |
| - name: Generate TAF Receipt | |
| uses: Wolfe-Jam/faf-taf-git@v2.1.2 | |
| with: | |
| test-output-file: /tmp/test-output.txt | |
| auto-commit: 'true' | |
| commit-message: 'chore(taf): update .taf receipt [skip ci]' | |
| target-branch: taf-receipts | |
| # Championship Status | |
| status: | |
| name: Championship Status | |
| runs-on: ubuntu-latest | |
| needs: [security, test, node-compat, quality] | |
| if: always() | |
| steps: | |
| - name: Check results | |
| run: | | |
| echo "FAF CLI Championship CI/CD" | |
| echo "---" | |
| failed=0 | |
| if [ "${{ needs.security.result }}" != "success" ]; then | |
| echo "FAIL Security: ${{ needs.security.result }}" | |
| failed=1 | |
| else | |
| echo "PASS Security" | |
| fi | |
| if [ "${{ needs.test.result }}" != "success" ]; then | |
| echo "FAIL Bun Tests: ${{ needs.test.result }}" | |
| failed=1 | |
| else | |
| echo "PASS Bun Tests: all platforms" | |
| fi | |
| if [ "${{ needs.node-compat.result }}" != "success" ]; then | |
| echo "FAIL Node Compat: ${{ needs.node-compat.result }}" | |
| failed=1 | |
| else | |
| echo "PASS Node Compat: 18.x, 20.x, 22.x" | |
| fi | |
| if [ "${{ needs.quality.result }}" != "success" ]; then | |
| echo "FAIL Quality: ${{ needs.quality.result }}" | |
| failed=1 | |
| else | |
| echo "PASS Quality" | |
| fi | |
| echo "---" | |
| if [ "$failed" -eq 1 ]; then | |
| echo "CI FAILED" | |
| exit 1 | |
| fi | |
| echo "PODIUM READY" |