lancedb-opencode-pro/.github/workflows/ci.yml at main · tryweb/lancedb-opencode-pro · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: CI

permissions:
  contents: read

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

on:
  pull_request:
  push:
    branches:
      - main
    tags:
      - "*"
  schedule:
    - cron: "0 2 * * 1"

jobs:
  sca-grype:
    if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Install dependencies
        run: npm install

      - name: Run Grype vulnerability scanner
        uses: anchore/scan-action@v7
        with:
          path: '.'
          output-format: 'sarif'
          output-file: 'grype-results.sarif'
          severity-cutoff: 'high'
          fail-build: true

      - name: Upload Grype results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'grype-results.sarif'
          category: 'sca-grype'

  sast-semgrep:
    if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    container:
      image: returntocorp/semgrep:1.76.0
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Run Semgrep SAST scan
        run: semgrep scan --sarif --config p/security-audit --config p/owasp-top-ten --config p/cwe-top-25 --output semgrep.sarif

      - name: Upload Semgrep results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'semgrep.sarif'
          category: 'sast-semgrep'

  verify-matrix:
    if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
    strategy:
      fail-fast: false
      matrix:
        node-version: ['20', '22', '24']
    runs-on: ubuntu-latest
    env:
      COMPOSE_FILE: docker-compose.ci.yml
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Build Docker image with Node ${{ matrix.node-version }}
        run: |
          docker compose build --no-cache --build-arg NODE_VERSION=${{ matrix.node-version }}
          docker compose up -d

      - name: Run verify on Node ${{ matrix.node-version }}
        run: docker compose exec -T app npm run verify

      - name: Tear down
        if: always()
        run: docker compose down -v --remove-orphans

  benchmark-latency:
    if: github.event_name == 'schedule'
    runs-on: ubuntu-latest
    env:
      COMPOSE_FILE: docker-compose.ci.yml
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Build and start containers
        run: docker compose build --no-cache && docker compose up -d

      - name: Run latency benchmark
        run: docker compose exec -T app npm run benchmark:latency

      - name: Tear down
        if: always()
        run: docker compose down -v --remove-orphans

  verify-full-release:
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    permissions:
      contents: write
    env:
      COMPOSE_FILE: docker-compose.ci.yml
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Build and start containers
        run: docker compose build --no-cache && docker compose up -d

      - name: Run full release verification
        run: docker compose exec -T app npm run verify:full

      - name: Extract package archive
        run: |
          docker compose exec -T app sh -lc 'cp lancedb-opencode-pro-*.tgz /tmp/lancedb-opencode-pro.tgz'
          docker compose cp app:/tmp/lancedb-opencode-pro.tgz ./lancedb-opencode-pro.tgz

      - name: Upload package artifact
        uses: actions/upload-artifact@v4
        with:
          name: lancedb-opencode-pro-tgz
          path: lancedb-opencode-pro.tgz
          retention-days: 30

      - name: Publish package to npm
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          docker compose exec -T -e NPM_TOKEN="$NPM_TOKEN" app sh -lc '
            if [ -z "$NPM_TOKEN" ]; then
              echo "NPM_TOKEN is required for npm publish"
              exit 1
            fi
            printf "//registry.npmjs.org/:_authToken=%s\n" "$NPM_TOKEN" > ~/.npmrc
            npm publish lancedb-opencode-pro-*.tgz --access public
            rm -f ~/.npmrc
          '

      - name: Publish GitHub release asset
        uses: softprops/action-gh-release@v2
        with:
          files: lancedb-opencode-pro.tgz
          fail_on_unmatched_files: true
          generate_release_notes: true

      - name: Tear down
        if: always()
        run: docker compose down -v --remove-orphans