Skip to content
CI

auth/env hardening and reliability updates #137

Sign in to view logs

auth/env hardening and reliability updates

auth/env hardening and reliability updates #137

Workflow file for this run

.github/workflows/ci.yml at 61bd400
name: CI
on:
push:
branches: [ master, dev ]
pull_request:
branches: [ master, dev ]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Type check
run: bun run tsc --noEmit
- name: Run unit tests
run: bun run test:unit
- name: Build frontend
run: bun run build
- name: Validate OpenAPI spec
run: bun run docs:validate
- name: Test build artifacts
run: |
ls -la static/
test -f static/app.js
test -f static/styles.css
- name: Test server startup
run: |
timeout 10s bun run start &
sleep 5
curl -f http://localhost:8002/api/status || exit 1
curl -f http://localhost:8002/api/docs/openapi.json || exit 1
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Check code formatting
run: |
# Add prettier or other formatting checks here if needed
echo "Code formatting check passed"
security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Run security audit
run: |
audit_log="$(mktemp)"
last_exit=0
for attempt in 1 2 3; do
if bun audit >"$audit_log" 2>&1; then
cat "$audit_log"
rm -f "$audit_log"
exit 0
else
audit_exit=$?
last_exit=$audit_exit
last_attempt=$attempt
if [ "$attempt" -lt 3 ]; then
echo "bun audit failed (attempt $attempt), retrying..."
sleep 5
fi
fi
done
audit_output="$(cat "$audit_log")"
echo "bun audit failed after ${last_attempt:-3} attempts with exit code ${last_exit}"
if grep -Eiq 'network|registry|ENOTFOUND|ECONNREFUSED|EAI_AGAIN|ETIMEDOUT' <<< "$audit_output"; then
echo "bun audit failed after retries due to network/registry error: $audit_output"
else
echo "bun audit failed after retries - vulnerabilities detected: $audit_output"
fi
rm -f "$audit_log"
exit 1
- name: Check for secrets
# Pinned to immutable commit (v3.93.4) for supply-chain safety.
# Maintenance: periodically verify this SHA still corresponds to the intended upstream release.
uses: trufflesecurity/trufflehog@7c0734f987ad0bb30ee8da210773b800ee2016d3
with:
path: ./
extra_args: --debug --only-verified
docker:
runs-on: ubuntu-latest
needs: [test, lint]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
load: true
tags: igloo-server:test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Docker image
run: |
docker run -d --name test-container -p 8002:8002 \
-e AUTO_ADMIN_SECRET=true \
igloo-server:test
sleep 10
curl -f http://localhost:8002/api/status || exit 1
docker stop test-container
docker rm test-container
- name: Build Umbrel Docker image
uses: docker/build-push-action@v5
with:
context: .
file: packages/umbrel/igloo/Dockerfile
load: true
tags: igloo-server-umbrel:test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Umbrel Docker image
run: |
docker run -d --name test-umbrel -p 8003:8002 \
-e ADMIN_SECRET=ci-admin-secret \
-e ALLOWED_ORIGINS=http://localhost:8003 \
-e TRUST_PROXY=true \
igloo-server-umbrel:test
sleep 10
curl -f http://localhost:8003/api/status || exit 1
docker stop test-umbrel
docker rm test-umbrel