name: Lint & Test on: push: branches: [master, main] pull_request: branches: [master, main] env: NODE_VERSION: '22' jobs: lint-and-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - run: npm ci - run: npx prisma generate - run: npm run lint - run: npm run format:check - run: npm run check test: runs-on: ubuntu-latest needs: lint-and-check env: # Deterministic test secrets so the env validator at module import doesn't trip. JWT_SECRET: 'test-secret-must-be-at-least-32-characters-long-for-validation' INTEGRATION_ENCRYPTION_KEY: 'integration-test-key-must-be-at-least-32-characters' ORIGIN: 'http://localhost:3000' DATABASE_URL: 'file:./test.db' NODE_ENV: 'test' RUN_SCHEDULERS: 'false' steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - run: npm ci - run: npx prisma generate - run: npx prisma migrate deploy - run: npm test build: runs-on: ubuntu-latest needs: lint-and-check env: JWT_SECRET: 'build-secret-must-be-at-least-32-characters-long-for-validation' INTEGRATION_ENCRYPTION_KEY: 'integration-build-key-must-be-at-least-32-characters' DATABASE_URL: 'file:./build.db' steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - run: npm ci - run: npx prisma generate - run: npm run build docker-build: runs-on: ubuntu-latest needs: lint-and-check steps: - uses: actions/checkout@v4 - name: Smoke-test Dockerfile build run: docker build -t web-app-launcher:ci-smoke --build-arg VERSION=ci . audit: runs-on: ubuntu-latest needs: lint-and-check steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - run: npm ci # Production-only audit. devDeps regularly carry low-severity advisories # we accept; only block on production-shipped CVEs. - run: npm audit --omit=dev --audit-level=high