streamvault/.github/workflows/eslint.yml at 5501d3937713aa82b568be4ff8c44a0d3cf619d1 · code-craka/streamvault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# ESLint Security Scanning Workflow
# This workflow uses ESLint to identify and report on patterns
# found in ECMAScript/JavaScript/TypeScript code.
# More details at https://github.com/eslint/eslint

name: ESLint Security Scan

on:
  push:
    branches: ['main', 'develop']
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ['main', 'develop']
  schedule:
    # Run weekly on Tuesdays at 2:30 AM UTC
    - cron: '30 2 * * 2'

jobs:
  eslint:
    name: Run ESLint Security Scanning
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write
      actions: read # Required for private repositories by github/codeql-action/upload-sarif

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: '10.15.0'

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Install ESLint SARIF formatter
        run: pnpm add --save-dev @microsoft/eslint-formatter-sarif

      - name: Run ESLint with SARIF output
        env:
          SARIF_ESLINT_IGNORE_SUPPRESSED: 'true'
        run: |
          pnpm exec eslint . \
            --format @microsoft/eslint-formatter-sarif \
            --output-file eslint-results.sarif
        continue-on-error: true

      - name: Upload ESLint results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: eslint-results.sarif
          wait-for-processing: true

      - name: Upload ESLint results as artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: eslint-results
          path: eslint-results.sarif
          retention-days: 30

  lint-check:
    name: Code Quality Check
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: '10.15.0'

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run ESLint check
        run: pnpm run lint:check

      - name: Run TypeScript check
        run: pnpm run type-check

      - name: Run Prettier check
        run: pnpm run format:check

      - name: Comment PR with results
        if: github.event_name == 'pull_request' && failure()
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: '❌ **Code Quality Check Failed**\n\nPlease run the following commands to fix issues:\n\n```bash\npnpm run lint\npnpm run format\npnpm run type-check\n```'
            })