PRISMA/.github/workflows/ci.yml at main · ProgrammingDevelopment/PRISMA · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: CI/CD Pipeline - Build, Test & Deploy to Cloudflare Pages

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

# Cancel in-progress runs for the same PR/branch
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  # ============================================
  # JOB 1: Lint, Type Check & Build
  # ============================================
  build-and-test:
    runs-on: ubuntu-latest
    name: 🔨 Build & Test

    steps:
    - name: 📥 Checkout code
      uses: actions/checkout@v4

    - name: 🟢 Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'
        cache: 'npm'

    - name: 📦 Install Dependencies
      run: npm ci

    - name: 🔍 Run Linting (ESLint)
      run: npm run lint
      continue-on-error: false

    - name: 📝 Check Types (TypeScript)
      run: npx tsc --noEmit --pretty
      continue-on-error: false

    - name: 🧪 Run Unit Tests (Vitest)
      run: npm run test:ci

    - name: 🏗️ Build Production
      run: npm run build
      env:
        NODE_ENV: production

    - name: 📊 Verify Build Output
      run: |
        echo "=== Build Output Verification ==="
        ls -la out/
        echo "Total files in out/:"
        find out/ -type f | wc -l
        echo "=== Static pages generated ==="
        find out/ -name "*.html" | head -20

    - name: 📤 Upload Build Artifact
      uses: actions/upload-artifact@v4
      with:
        name: build-output
        path: out/
        retention-days: 3

  # ============================================
  # JOB 2: Security Audit
  # ============================================
  security-audit:
    runs-on: ubuntu-latest
    name: 🔒 Security Audit

    steps:
    - name: 📥 Checkout code
      uses: actions/checkout@v4

    - name: 🟢 Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'
        cache: 'npm'

    - name: 📦 Install Dependencies
      run: npm ci

    - name: 🔐 npm Audit (Security Vulnerabilities)
      run: npm audit --audit-level=high || true

    - name: 🕵️ Check for Hardcoded Secrets
      run: |
        echo "=== Checking for potential hardcoded secrets ==="
        # Check for common secret patterns (excluding node_modules and .next)
        grep -rn --include="*.ts" --include="*.tsx" --include="*.js" \
          -e "sk_live" -e "pk_live" -e "AKIA" -e "password.*=.*['\"]" \
          --exclude-dir=node_modules --exclude-dir=.next \
          --exclude-dir=out --exclude="*.test.*" \
          src/ || echo "No obvious hardcoded secrets found in src/"

    - name: 🛡️ Verify Security Headers
      run: |
        echo "=== Verifying _headers file ==="
        if [ -f "public/_headers" ]; then
          echo "✅ _headers file exists"
          grep -c "X-Frame-Options" public/_headers && echo "✅ Clickjacking protection"
          grep -c "Content-Security-Policy" public/_headers && echo "✅ CSP header"
          grep -c "Strict-Transport-Security" public/_headers && echo "✅ HSTS header"
          grep -c "X-Content-Type-Options" public/_headers && echo "✅ MIME sniffing protection"
        else
          echo "❌ _headers file missing!"
          exit 1
        fi

  # ============================================
  # JOB 3: Deploy to Cloudflare Pages
  # ============================================
  deploy:
    runs-on: ubuntu-latest
    name: 🚀 Deploy to Cloudflare Pages
    needs: [build-and-test, security-audit]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'

    permissions:
      contents: read
      deployments: write

    steps:
    - name: 📥 Checkout code
      uses: actions/checkout@v4

    - name: 📥 Download Build Artifact
      uses: actions/download-artifact@v4
      with:
        name: build-output
        path: out/

    - name: 🚀 Deploy to Cloudflare Pages
      uses: cloudflare/wrangler-action@v3
      with:
        apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
        accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
        command: pages deploy out/ --project-name=prisma-rt04

    - name: ✅ Deployment Summary
      run: |
        echo "============================================"
        echo "  🎉 Deployment Successful!"
        echo "============================================"
        echo "  📦 Project: prisma-rt04"
        echo "  🌐 URL: https://prisma-rt04.pages.dev"
        echo "  ⏰ Time: $(date)"
        echo "  📋 Commit: ${{ github.sha }}"
        echo "============================================"