-
Notifications
You must be signed in to change notification settings - Fork 0
Wire free production readiness stack #358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
njrini99-code
wants to merge
18
commits into
test-hardening/golf-stats-coachhelm-contracts
from
test-hardening/free-production-readiness-stack
Closed
Changes from all commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
ccb1e66
Wire free production readiness stack
njrini99-code cea85e3
fix(readiness): close route secret and dependency findings
njrini99-code 399d664
fix(ops): close 24h GitHub issues for CI, secrets, and tooling
njrini99-code 5a6cc85
fix(readiness): close 24h ops issues (#351–#365)
njrini99-code b9cda23
feat(routes): wire Next.js route bug catcher static checks
njrini99-code f2deea6
feat(routes): add route bug catcher playbook and hygiene hardening
njrini99-code 19edb0e
fix(semgrep): document push token action revalidate exceptions
njrini99-code a3b487d
fix(ci): restore routes:check and clear semgrep on device-token path
njrini99-code 69e4594
fix(golf): suppress semgrep on guarded round-submit fallback
njrini99-code 8d271d4
fix(e2e): stabilize route crawler auth redirect waits
njrini99-code 66c14b3
fix(ci): clear Review Gate semgrep on baseball games actions
njrini99-code fdb57f5
feat(ops): complete bug-discovery stack install
njrini99-code 4479cc4
fix(ci): satisfy actionlint on Meticulous advisory workflow
njrini99-code 26958c1
fix(ci): Meticulous advisory placeholder without unresolved action
njrini99-code e9b5b94
feat(ops): add visual baselines and verify:bugs entry points
njrini99-code 2cbcf99
fix(ci): ZAP workflow env indirection for semgrep gate
njrini99-code ed2e716
fix(ci): supply Supabase env for visual regression job
njrini99-code cad174e
fix(ci): supply Supabase env for route crawler job
njrini99-code File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,253 @@ | ||
| name: Free Production Readiness | ||
|
|
||
| on: | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| business-contracts: | ||
| name: Business contracts | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run low-gray business contracts | ||
| run: npm run verify:business | ||
|
|
||
| - name: Run advisory source-shape contracts | ||
| run: npm run test:business:advisory | ||
| continue-on-error: true | ||
|
|
||
| route-hygiene: | ||
| name: Route Hygiene P0/P1 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Check route hygiene | ||
| run: npm run routes:check | ||
|
|
||
| - name: Upload route hygiene reports | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: route-hygiene-reports | ||
| path: | | ||
| docs/operations/generated/route-inventory.json | ||
| docs/operations/generated/route-inventory.md | ||
| docs/operations/generated/route-hygiene-report.md | ||
| docs/operations/generated/route-link-report.json | ||
| docs/operations/generated/route-coverage-report.json | ||
| docs/operations/revealed-bugs/routes/** | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
|
|
||
| route-crawler: | ||
| name: Route Crawler | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| env: | ||
| NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }} | ||
| NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Build route inventory | ||
| run: npm run routes:inventory | ||
|
|
||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps chromium | ||
|
|
||
| - name: Crawl routes | ||
| run: npm run routes:crawl | ||
|
|
||
| - name: Upload route crawler artifacts | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: route-crawler-artifacts | ||
| path: | | ||
| playwright-report/** | ||
| test-results/** | ||
| docs/operations/generated/route-crawler-report.md | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
|
|
||
| prod-db-audit: | ||
| name: Production DB audit | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run read-only production DB audit | ||
| env: | ||
| PROD_AUDIT_DATABASE_URL: ${{ secrets.PROD_AUDIT_DATABASE_URL }} | ||
| run: npm run prod:audit:db | ||
|
|
||
| - name: Upload production DB audit reports | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: prod-db-audit-reports | ||
| path: | | ||
| docs/operations/generated/prod-db-audit-findings.json | ||
| docs/operations/generated/prod-db-audit-report.md | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
|
|
||
| visual-regression: | ||
| name: Visual regression | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| env: | ||
| NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }} | ||
| NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Install Playwright browsers | ||
| run: npx playwright install --with-deps chromium | ||
|
|
||
| - name: Run visual regression | ||
| run: npm run e2e:visual | ||
|
|
||
| - name: Upload visual diff artifacts | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: visual-regression-artifacts | ||
| path: | | ||
| playwright-report/** | ||
| test-results/** | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
|
|
||
| schemathesis-advisory: | ||
| name: Schemathesis (advisory) | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run Schemathesis advisory | ||
| run: npm run schemathesis:advisory | ||
|
|
||
| - name: Upload Schemathesis report | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: schemathesis-report | ||
| path: docs/operations/generated/schemathesis-report.json | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
|
|
||
| static-radar: | ||
| name: Static radar advisory | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 20 | ||
| cache: npm | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Install Semgrep CE | ||
| run: python -m pip install semgrep | ||
|
|
||
| - name: Run Semgrep Helm rules | ||
| run: npm run analyze:semgrep | ||
| continue-on-error: true | ||
|
|
||
| - name: Run dependency-cruiser | ||
| run: npm run analyze:deps | ||
| continue-on-error: true | ||
|
|
||
| - name: Run duplicate-code radar | ||
| run: npm run analyze:duplicates | ||
| continue-on-error: true | ||
|
|
||
| - name: Run Helm auditor | ||
| if: always() | ||
| run: npm run auditor:all | ||
|
|
||
| - name: Upload static radar reports | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: static-radar-reports | ||
| path: | | ||
| docs/operations/generated/ | ||
| docs/operations/revealed-bugs/production-readiness/ | ||
| if-no-files-found: ignore | ||
| retention-days: 14 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: Meticulous AI (Advisory) | ||
|
|
||
| # Meticulous requires a GitHub App install + project token. | ||
| # See docs/operations/integrations/METICULOUS.md for setup. | ||
| # This workflow skips until METICULOUS_API_TOKEN is configured. | ||
|
|
||
| on: | ||
| pull_request: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| meticulous: | ||
| name: Meticulous visual diff | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Meticulous status | ||
| env: | ||
| METICULOUS_API_TOKEN: ${{ secrets.METICULOUS_API_TOKEN }} | ||
| run: | | ||
| if [ -n "$METICULOUS_API_TOKEN" ]; then | ||
| echo "## Meticulous AI — token present" | ||
| echo "" | ||
| echo "Add the Meticulous GitHub Action step from \`docs/operations/integrations/METICULOUS.md\`" | ||
| echo "(upload-container or cloud-compute) once the project is linked." | ||
| exit 0 | ||
| fi | ||
| echo "## Meticulous AI — skipped" | ||
| echo "" | ||
| echo "No \`METICULOUS_API_TOKEN\` repository secret. See \`docs/operations/integrations/METICULOUS.md\`." | ||
| echo "This job is advisory and does not block merge." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| name: ZAP Baseline Scan (Advisory) | ||
|
|
||
| on: | ||
| pull_request: | ||
| workflow_dispatch: | ||
| inputs: | ||
| target_url: | ||
| description: 'URL to scan (defaults to ZAP_TARGET_URL secret or production landing)' | ||
| required: false | ||
| type: string | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| zap-baseline: | ||
| name: OWASP ZAP baseline | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Resolve scan target | ||
| id: target | ||
| env: | ||
| INPUT_URL: ${{ github.event.inputs.target_url }} | ||
| SECRET_URL: ${{ secrets.ZAP_TARGET_URL }} | ||
| DEFAULT_URL: https://helmsportslabs.com | ||
| run: | | ||
| if [ -n "$INPUT_URL" ]; then | ||
| echo "url=$INPUT_URL" >> "$GITHUB_OUTPUT" | ||
| elif [ -n "$SECRET_URL" ]; then | ||
| echo "url=$SECRET_URL" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "url=$DEFAULT_URL" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: ZAP baseline scan | ||
| uses: zaproxy/action-baseline@v0.14.0 | ||
| with: | ||
| target: ${{ steps.target.outputs.url }} | ||
| allow_issue_writing: false | ||
| fail_action: false | ||
| cmd_options: '-a' | ||
|
|
||
| - name: Upload ZAP report | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: zap-baseline-report | ||
| path: report_html.html | ||
| if-no-files-found: ignore | ||
| retention-days: 14 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this workflow,
static-radaris intended to collect Semgrep, dependency-cruiser, and jscpd advisory reports, but puttingcontinue-on-erroronly on the job does not make later steps run after an earlier step fails; the default step condition remains success-only. In a fresh CI run, any nonzero exit from Semgrep prevents the dependency and duplicate-code reports from being generated or uploaded, so each radar step needs its owncontinue-on-erroror the later report steps needif: always().Useful? React with 👍 / 👎.