mirror of
https://github.com/pezkuwichain/pwap.git
synced 2026-04-22 21:47:56 +00:00
pezkuwichain
aa3a49f0f6
- Override fast-xml-parser to ^5.3.6 (fixes CVE-2026-25896, CVE-2026-26278, CVE-2026-25128) - Add security-audit to deploy job dependencies in quality-gate workflow
205 lines
5.5 KiB
YAML
205 lines
5.5 KiB
YAML
name: Quality Gate & Deploy
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
VITE_SUPABASE_URL: ${{ secrets.VITE_SUPABASE_URL }}
|
|
VITE_SUPABASE_ANON_KEY: ${{ secrets.VITE_SUPABASE_ANON_KEY }}
|
|
|
|
jobs:
|
|
# ========================================
|
|
# WEB APP - LINT, TEST & BUILD
|
|
# ========================================
|
|
web:
|
|
name: Web App
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Checkout Pezkuwi-SDK (for docs generation)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: pezkuwichain/pezkuwi-sdk
|
|
path: Pezkuwi-SDK
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Cache npm dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: web/node_modules
|
|
key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-web-
|
|
|
|
- name: Install dependencies
|
|
working-directory: ./web
|
|
run: npm install
|
|
|
|
- name: Run Linter
|
|
working-directory: ./web
|
|
run: npm run lint
|
|
|
|
- name: Run Tests
|
|
working-directory: ./web
|
|
run: npm run test
|
|
|
|
- name: Build Project
|
|
working-directory: ./web
|
|
run: npm run build
|
|
env:
|
|
VITE_NETWORK: MAINNET
|
|
VITE_WS_ENDPOINT: wss://rpc.pezkuwichain.io
|
|
VITE_WS_ENDPOINT_FALLBACK_1: wss://mainnet.pezkuwichain.io
|
|
VITE_ASSET_HUB_ENDPOINT: wss://asset-hub-rpc.pezkuwichain.io
|
|
VITE_PEOPLE_CHAIN_ENDPOINT: wss://people-rpc.pezkuwichain.io
|
|
VITE_WALLETCONNECT_PROJECT_ID: 8292a793b7640e8364c378e331e76d04
|
|
|
|
- name: Upload build artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: web-dist
|
|
path: web/dist/
|
|
|
|
# ========================================
|
|
# MOBILE APP - LINT & TEST
|
|
# ========================================
|
|
mobile:
|
|
name: Mobile App
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Cache npm dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: mobile/node_modules
|
|
key: ${{ runner.os }}-mobile-${{ hashFiles('mobile/package-lock.json') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-mobile-
|
|
|
|
- name: Install dependencies
|
|
working-directory: ./mobile
|
|
run: npm install --legacy-peer-deps
|
|
|
|
- name: Run Linter
|
|
working-directory: ./mobile
|
|
run: npm run lint
|
|
|
|
- name: Run Tests
|
|
working-directory: ./mobile
|
|
run: npm run test
|
|
|
|
# ========================================
|
|
# DEPLOY WEB APP TO VPS
|
|
# ========================================
|
|
deploy:
|
|
name: Deploy Web
|
|
runs-on: ubuntu-latest
|
|
needs: [web, mobile, security-audit]
|
|
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
|
|
- name: Bump version
|
|
working-directory: ./web
|
|
run: |
|
|
npm version patch --no-git-tag-version
|
|
VERSION=$(node -p "require('./package.json').version")
|
|
echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
|
|
cd ..
|
|
git add web/package.json
|
|
git commit -m "chore(web): bump version to $VERSION [skip ci]" || echo "No version change"
|
|
git push || echo "Nothing to push"
|
|
|
|
- name: Download build artifact
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: web-dist
|
|
path: dist/
|
|
|
|
- name: Deploy to VPS
|
|
uses: appleboy/scp-action@v1.0.0
|
|
with:
|
|
host: ${{ secrets.VPS_HOST }}
|
|
username: ${{ secrets.VPS_USER }}
|
|
key: ${{ secrets.VPS_SSH_KEY }}
|
|
source: 'dist/*'
|
|
target: '/var/www/subdomains/app'
|
|
strip_components: 1
|
|
|
|
- name: Post-deploy notification
|
|
run: |
|
|
echo "✅ Deployed web app v${{ env.NEW_VERSION }} to app.pezkuwichain.io"
|
|
|
|
# ========================================
|
|
# SECURITY CHECKS (BLOCKING)
|
|
# ========================================
|
|
security-audit:
|
|
name: Security Audit
|
|
runs-on: ubuntu-latest
|
|
needs: [web, mobile]
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Web - npm audit (critical only)
|
|
working-directory: ./web
|
|
run: |
|
|
npm install
|
|
npm audit --audit-level=critical
|
|
|
|
- name: Mobile - npm audit (critical only)
|
|
working-directory: ./mobile
|
|
run: |
|
|
npm install --legacy-peer-deps
|
|
npm audit --audit-level=critical --production
|
|
|
|
- name: TruffleHog Secret Scan
|
|
uses: trufflesecurity/trufflehog@main
|
|
with:
|
|
path: ./
|
|
extra_args: --only-verified
|