name: Quality Gate on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] workflow_dispatch: jobs: # ======================================== # BUILD, LINT & TEST (CRITICAL) # ======================================== quality-gate: name: Build, Lint & Test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Checkout Pezkuwi-SDK (for docs generation) uses: actions/checkout@v4 with: repository: pezkuwichain/pezkuwi-sdk path: Pezkuwi-SDK - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Cache npm dependencies uses: actions/cache@v4 with: path: web/node_modules key: ${{ runner.os }}-node-${{ hashFiles('web/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- - name: Install dependencies working-directory: ./web run: npm install - name: Run Linter working-directory: ./web run: npm run lint - name: Run Tests working-directory: ./web run: npm run test - name: Build Project working-directory: ./web run: npm run build # ======================================== # SECURITY CHECKS (INFORMATIVE) # ======================================== security-audit: name: Security Audit runs-on: ubuntu-latest needs: quality-gate steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Cache npm dependencies uses: actions/cache@v4 with: path: web/node_modules key: ${{ runner.os }}-node-${{ hashFiles('web/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- - name: Install dependencies working-directory: ./web run: npm install - name: Run npm audit working-directory: ./web continue-on-error: true run: npm audit --audit-level=high - name: TruffleHog Secret Scan continue-on-error: true uses: trufflesecurity/trufflehog@main with: path: ./ extra_args: --only-verified