mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-07-05 03:52:51 +01:00
The quality gate ran its full matrix on every PR edit event even though title/body edits cannot change the code: only validate_pr_title needs them. Gate the heavy jobs on action != 'edited', add the missing concurrency group (Renovate PRs currently run the whole gate twice per commit), cache Bun dependencies like the other workflows, drop the unused setup-node step, and run checkout/Bun setup in parallel.
152 lines
5.1 KiB
YAML
152 lines
5.1 KiB
YAML
name: 🚦 Security & Quality Gate
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, edited, synchronize, reopened]
|
|
branches: [develop, master]
|
|
workflow_dispatch:
|
|
push:
|
|
branches: [develop]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
validate_pr_title:
|
|
name: "📝 Validate PR Title"
|
|
if: github.event_name == 'pull_request'
|
|
runs-on: ubuntu-26.04
|
|
permissions:
|
|
pull-requests: write
|
|
contents: read
|
|
steps:
|
|
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
|
|
id: lint_pr_title
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
|
|
if: always() && (steps.lint_pr_title.outputs.error_message != null)
|
|
with:
|
|
header: pr-title-lint-error
|
|
message: |
|
|
Hey there and thank you for opening this pull request! 👋🏼
|
|
We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/).
|
|
|
|
**Error details:**
|
|
```
|
|
${{ steps.lint_pr_title.outputs.error_message }}
|
|
```
|
|
|
|
- if: ${{ steps.lint_pr_title.outputs.error_message == null }}
|
|
uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
|
|
with:
|
|
header: pr-title-lint-error
|
|
delete: true
|
|
|
|
dependency-review:
|
|
name: 🔍 Vulnerable Dependencies
|
|
# PR title/body edits can't change the dependency graph — only re-run on code events.
|
|
if: github.event.action != 'edited'
|
|
runs-on: ubuntu-26.04
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
fetch-depth: 0
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
|
|
with:
|
|
fail-on-severity: high
|
|
base-ref: ${{ github.event.pull_request.base.sha || 'develop' }}
|
|
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
|
|
|
expo-doctor:
|
|
name: 🚑 Expo Doctor Check
|
|
# PR title/body edits can't change the project — only re-run on code events.
|
|
if: github.event.action != 'edited'
|
|
runs-on: ubuntu-26.04
|
|
steps:
|
|
- parallel:
|
|
- name: 🛒 Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
submodules: recursive
|
|
fetch-depth: 0
|
|
|
|
- name: 🍞 Setup Bun
|
|
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
|
|
with:
|
|
# renovate: datasource=npm depName=bun
|
|
bun-version: "1.3.14"
|
|
|
|
- name: 💾 Cache Bun dependencies
|
|
uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6.0.0
|
|
with:
|
|
path: ~/.bun/install/cache
|
|
key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-${{ runner.arch }}-bun-
|
|
|
|
- name: 📦 Install dependencies (bun)
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: 🚑 Run Expo Doctor
|
|
# Re-enabled but non-blocking: surfaces doctor warnings in the logs
|
|
# without failing the gate (some checks are known-noisy for this setup).
|
|
continue-on-error: true
|
|
run: bun expo-doctor
|
|
|
|
code_quality:
|
|
name: "🔍 Lint & Test (${{ matrix.command }})"
|
|
# PR title/body edits can't change the code — only re-run on code events.
|
|
if: github.event.action != 'edited'
|
|
runs-on: ubuntu-26.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
command:
|
|
- "lint"
|
|
- "check"
|
|
- "format"
|
|
- "typecheck"
|
|
- "i18n:check"
|
|
|
|
steps:
|
|
- parallel:
|
|
- name: "📥 Checkout PR code"
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
submodules: recursive
|
|
fetch-depth: 0
|
|
|
|
- name: "🍞 Setup Bun"
|
|
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
|
|
with:
|
|
# renovate: datasource=npm depName=bun
|
|
bun-version: "1.3.14"
|
|
|
|
- name: 💾 Cache Bun dependencies
|
|
uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6.0.0
|
|
with:
|
|
path: ~/.bun/install/cache
|
|
key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ hashFiles('bun.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-${{ runner.arch }}-bun-
|
|
|
|
- name: "📦 Install dependencies"
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: "🚨 Run ${{ matrix.command }}"
|
|
run: bun run ${{ matrix.command }}
|