-
Notifications
You must be signed in to change notification settings - Fork 0
206 lines (196 loc) · 9.35 KB
/
node-ci.yml
File metadata and controls
206 lines (196 loc) · 9.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# Node CI
#
# Reusable workflow that wires together the full Node.js CI pipeline:
#
# security — gitleaks + npm-audit + guarddog (gates everything below)
# lint — npm lint + hadolint ┐
# build — npm ci + npm run build ├─ parallel after security
# test — unit tests + optional Playwright ┘
# functional-e2e — optional Playwright e2e (opt-in, off by default)
# visual-test — optional visual regression (opt-in, off by default)
# vulnerability-scan — Syft + Grype (after all above pass or are skipped)
#
# The consuming repo controls WHEN this runs. This workflow controls HOW.
#
# Usage in a consuming repository:
#
# on: [push, pull_request, workflow_dispatch]
#
# jobs:
# ci:
# uses: orangitfi/platform-tooling/.github/workflows/node-ci.yml@<sha>
# with:
# image-name: my-app
#
# See node-ci.md for full documentation and all parameter options.
#
# ─── SHA pinning ─────────────────────────────────────────────────────────────
# The `uses:` lines below reference platform-tooling workflows at a specific
# SHA. After committing this file, run the SHA bump process documented in the
# root README to update a4ca46b0de8eda2f61573cfbd4164e538a7775a1 to the commit that introduced this file.
# ─────────────────────────────────────────────────────────────────────────────
name: CI
on:
workflow_call:
inputs:
working-directory:
description: "Directory containing package.json"
required: false
default: "."
type: string
audit-level:
description: "Minimum npm audit severity to fail on: low, moderate, high, critical"
required: false
default: "high"
type: string
dockerfile-path:
description: "Path to the Dockerfile relative to the repo root (used by lint and vulnerability scan)"
required: false
default: "Dockerfile"
type: string
lint-command:
description: "npm script name for linting"
required: false
default: "lint"
type: string
build-command:
description: "npm script name for the build"
required: false
default: "build"
type: string
test-command:
description: "npm script name for unit tests"
required: false
default: "test:unit"
type: string
run-playwright:
description: "Run Playwright tests in the test job"
required: false
default: true
type: boolean
playwright-command:
description: "npm script for Playwright in the test job"
required: false
default: "test:e2e"
type: string
run-functional-e2e:
description: "Enable the functional-e2e job (requires a live backend; off by default)"
required: false
default: false
type: boolean
functional-e2e-command:
description: "npm script for functional e2e tests"
required: false
default: "test:e2e:functional"
type: string
run-visual-test:
description: "Enable the visual-test job (requires committed baselines; off by default)"
required: false
default: false
type: boolean
visual-test-command:
description: "npm script for visual regression tests"
required: false
default: "test:e2e:visual"
type: string
fail-on-severity:
description: "Minimum Grype severity for the vulnerability scan: critical, high, medium, low, negligible"
required: false
default: "high"
type: string
run-docker-scan:
description: "Build and scan the Docker image in the vulnerability scan (set false for repos without a Dockerfile)"
required: false
default: true
type: boolean
image-name:
description: "Docker image name for the vulnerability scan. Defaults to the repository name."
required: false
default: ""
type: string
node-version:
description: "Node.js version to use (e.g. 20, 22)"
required: false
default: "20"
type: string
permissions:
contents: read
jobs:
# ───────────────────────────────────────────────────────────────────────────
# 1. Security audit — runs first, gates everything else
# ───────────────────────────────────────────────────────────────────────────
security:
name: Security Scan
uses: orangitfi/platform-tooling/.github/workflows/node-security-scan.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
audit-level: ${{ inputs.audit-level }}
# ───────────────────────────────────────────────────────────────────────────
# 2. Lint + Build + Test — parallel after security passes
# ───────────────────────────────────────────────────────────────────────────
lint:
name: Lint
needs: security
uses: orangitfi/platform-tooling/.github/workflows/node-lint.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
lint-command: ${{ inputs.lint-command }}
dockerfile-path: ${{ inputs.dockerfile-path }}
node-version: ${{ inputs.node-version }}
build:
name: Build
needs: security
uses: orangitfi/platform-tooling/.github/workflows/node-build.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
build-command: ${{ inputs.build-command }}
node-version: ${{ inputs.node-version }}
test:
name: Test
needs: security
uses: orangitfi/platform-tooling/.github/workflows/node-test.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
run-unit-tests: true
test-command: ${{ inputs.test-command }}
run-playwright: ${{ inputs.run-playwright }}
playwright-command: ${{ inputs.playwright-command }}
node-version: ${{ inputs.node-version }}
# ───────────────────────────────────────────────────────────────────────────
# 3. Optional jobs — skipped when disabled; vulnerability-scan still runs
# ───────────────────────────────────────────────────────────────────────────
functional-e2e:
name: Functional E2E
if: ${{ inputs.run-functional-e2e }}
needs: security
uses: orangitfi/platform-tooling/.github/workflows/node-test.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
run-unit-tests: false
run-playwright: true
playwright-command: ${{ inputs.functional-e2e-command }}
node-version: ${{ inputs.node-version }}
visual-test:
name: Visual Regression Test
if: ${{ inputs.run-visual-test }}
needs: security
uses: orangitfi/platform-tooling/.github/workflows/node-test.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
run-unit-tests: false
run-playwright: true
playwright-command: ${{ inputs.visual-test-command }}
node-version: ${{ inputs.node-version }}
# ───────────────────────────────────────────────────────────────────────────
# 4. Vulnerability scan — runs after all quality gates pass or are skipped
# ───────────────────────────────────────────────────────────────────────────
vulnerability-scan:
name: Vulnerability Scan
needs: [lint, build, test, functional-e2e, visual-test]
uses: orangitfi/platform-tooling/.github/workflows/node-vulnerability-scan.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1 # pt-sha
with:
working-directory: ${{ inputs.working-directory }}
fail-on-severity: ${{ inputs.fail-on-severity }}
run-docker-scan: ${{ inputs.run-docker-scan }}
dockerfile-path: ${{ inputs.dockerfile-path }}
image-name: ${{ inputs.image-name }}