igloo-server/.github/workflows/ci.yml at 61bd400d6ada15f63cb077e0eca5685b53a79747 · FROSTR-ORG/igloo-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: CI

on:
  push:
    branches: [ master, dev ]
  pull_request:
    branches: [ master, dev ]

jobs:
  test:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Bun
      uses: oven-sh/setup-bun@v2
      with:
        bun-version: 1.3.3

    - name: Install dependencies
      run: bun install --frozen-lockfile

    - name: Type check
      run: bun run tsc --noEmit

    - name: Run unit tests
      run: bun run test:unit

    - name: Build frontend
      run: bun run build

    - name: Validate OpenAPI spec
      run: bun run docs:validate

    - name: Test build artifacts
      run: |
        ls -la static/
        test -f static/app.js
        test -f static/styles.css

    - name: Test server startup
      run: |
        timeout 10s bun run start &
        sleep 5
        curl -f http://localhost:8002/api/status || exit 1
        curl -f http://localhost:8002/api/docs/openapi.json || exit 1

  lint:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Bun
      uses: oven-sh/setup-bun@v2
      with:
        bun-version: 1.3.3

    - name: Install dependencies
      run: bun install --frozen-lockfile

    - name: Check code formatting
      run: |
        # Add prettier or other formatting checks here if needed
        echo "Code formatting check passed"

  security:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Bun
      uses: oven-sh/setup-bun@v2
      with:
        bun-version: 1.3.3

    - name: Install dependencies
      run: bun install --frozen-lockfile

    - name: Run security audit
      run: |
        audit_log="$(mktemp)"
        last_exit=0
        for attempt in 1 2 3; do
          if bun audit >"$audit_log" 2>&1; then
            cat "$audit_log"
            rm -f "$audit_log"
            exit 0
          else
            audit_exit=$?
            last_exit=$audit_exit
            last_attempt=$attempt
            if [ "$attempt" -lt 3 ]; then
              echo "bun audit failed (attempt $attempt), retrying..."
              sleep 5
            fi
          fi
        done

        audit_output="$(cat "$audit_log")"
        echo "bun audit failed after ${last_attempt:-3} attempts with exit code ${last_exit}"
        if grep -Eiq 'network|registry|ENOTFOUND|ECONNREFUSED|EAI_AGAIN|ETIMEDOUT' <<< "$audit_output"; then
          echo "bun audit failed after retries due to network/registry error: $audit_output"
        else
          echo "bun audit failed after retries - vulnerabilities detected: $audit_output"
        fi
        rm -f "$audit_log"
        exit 1

    - name: Check for secrets
      # Pinned to immutable commit (v3.93.4) for supply-chain safety.
      # Maintenance: periodically verify this SHA still corresponds to the intended upstream release.
      uses: trufflesecurity/trufflehog@7c0734f987ad0bb30ee8da210773b800ee2016d3
      with:
        path: ./
        extra_args: --debug --only-verified

  docker:
    runs-on: ubuntu-latest
    needs: [test, lint]

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Build Docker image
      uses: docker/build-push-action@v5
      with:
        context: .
        load: true
        tags: igloo-server:test
        cache-from: type=gha
        cache-to: type=gha,mode=max

    - name: Test Docker image
      run: |
        docker run -d --name test-container -p 8002:8002 \
          -e AUTO_ADMIN_SECRET=true \
          igloo-server:test
        sleep 10
        curl -f http://localhost:8002/api/status || exit 1
        docker stop test-container
        docker rm test-container

    - name: Build Umbrel Docker image
      uses: docker/build-push-action@v5
      with:
        context: .
        file: packages/umbrel/igloo/Dockerfile
        load: true
        tags: igloo-server-umbrel:test
        cache-from: type=gha
        cache-to: type=gha,mode=max

    - name: Test Umbrel Docker image
      run: |
        docker run -d --name test-umbrel -p 8003:8002 \
          -e ADMIN_SECRET=ci-admin-secret \
          -e ALLOWED_ORIGINS=http://localhost:8003 \
          -e TRUST_PROXY=true \
          igloo-server-umbrel:test
        sleep 10
        curl -f http://localhost:8003/api/status || exit 1
        docker stop test-umbrel
        docker rm test-umbrel