mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-06-02 12:08:37 +01:00
3de9b65b7d
New .github/workflows/pr-validation.yml (pull_request_target, like seerr, so it works on fork PRs without checking out fork code): moves the Conventional-Commits title check out of the quality gate and adds a PR template check (scripts/check-pr-template.mjs) — Description/Ticket/Testing filled, contribution + AI-disclosure boxes ticked (maintainers bypass AI), and Screenshots required when the PR changes UI (.tsx under app/ or components/). Posts a sticky comment + 'blocked: template' label on failure, clears on success; skips bots + synchronize. Robust comment stripping (CodeQL-safe). Inspired by seerr's pr-validation.
92 lines
2.5 KiB
YAML
92 lines
2.5 KiB
YAML
name: 🚦 Security & Quality Gate
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, edited, synchronize, reopened]
|
|
branches: [develop, master]
|
|
workflow_dispatch:
|
|
push:
|
|
branches: [develop]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
dependency-review:
|
|
name: 🔍 Vulnerable Dependencies
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
fetch-depth: 0
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
|
|
with:
|
|
fail-on-severity: high
|
|
base-ref: ${{ github.event.pull_request.base.sha || 'develop' }}
|
|
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
|
|
|
expo-doctor:
|
|
name: 🚑 Expo Doctor Check
|
|
if: false
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: 🛒 Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
submodules: recursive
|
|
fetch-depth: 0
|
|
|
|
- name: 🍞 Setup Bun
|
|
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
|
|
with:
|
|
bun-version: latest
|
|
|
|
- name: 📦 Install dependencies (bun)
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: 🚑 Run Expo Doctor
|
|
run: bun expo-doctor
|
|
|
|
code_quality:
|
|
name: "🔍 Lint & Test (${{ matrix.command }})"
|
|
runs-on: ubuntu-24.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
command:
|
|
- "lint"
|
|
- "check"
|
|
- "format"
|
|
- "typecheck"
|
|
|
|
steps:
|
|
- name: "📥 Checkout PR code"
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
submodules: recursive
|
|
fetch-depth: 0
|
|
|
|
- name: "🟢 Setup Node.js"
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: '24.x'
|
|
|
|
- name: "🍞 Setup Bun"
|
|
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
|
|
with:
|
|
bun-version: latest
|
|
|
|
- name: "📦 Install dependencies"
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: "🚨 Run ${{ matrix.command }}"
|
|
run: bun run ${{ matrix.command }}
|