name: CI on: pull_request: branches: [main] push: branches: [main] jobs: lint-typescript: name: Lint TypeScript/React runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '20' cache: 'npm' - run: npm ci - name: ESLint run: npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0 - name: TypeScript Check run: npx tsc --noEmit - name: Build Check run: npm run build lint-python: name: Lint Python runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: '3.12' - name: Install linters run: pip install ruff bandit - name: Ruff (lint + format check) run: ruff check utils/ --output-format=github - name: Bandit (security) run: bandit -r utils/ -ll lint-shell: name: Lint Shell Scripts runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: ShellCheck uses: ludeeus/action-shellcheck@master with: scandir: './scripts' severity: warning security-scan: name: Security Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trivy FS Scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' severity: 'CRITICAL,HIGH' exit-code: '1' ignore-unfixed: true - name: Trivy Config Scan uses: aquasecurity/trivy-action@master with: scan-type: 'config' scan-ref: '.' severity: 'CRITICAL,HIGH' exit-code: '1' dependency-audit: name: Dependency Audit runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '20' cache: 'npm' - run: npm ci - name: npm audit run: npm audit --audit-level=high --registry=https://registry.npmjs.org - name: Check for outdated deps run: npm outdated || true