coder/Taskfile.yml at main · zvenoai/coder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
version: "3"

vars:
  PY_IMAGE: coder-ci-python
  FE_IMAGE: coder-ci-frontend
  # Volume mounts for Python source code (image has deps only)
  PY_MOUNT: >-
    -v {{.ROOT_DIR}}/orchestrator:/app/orchestrator
    -v {{.ROOT_DIR}}/tests:/app/tests
    -v {{.ROOT_DIR}}/prompts:/app/prompts

tasks:
  # ── Build CI images (deps only, rebuilt only when deps change) ───

  ci:python:
    internal: true
    cmds:
      - docker build -t {{.PY_IMAGE}} -f ci/python.Dockerfile .
    sources:
      - ci/python.Dockerfile
      - pyproject.toml
    method: checksum

  ci:frontend:
    internal: true
    cmds:
      - docker build -t {{.FE_IMAGE}} -f ci/frontend.Dockerfile frontend/
    sources:
      - ci/frontend.Dockerfile
      - frontend/package.json
      - frontend/package-lock.json
      - frontend/src/**/*
      - frontend/tsconfig*.json
      - frontend/eslint.config.js
      - frontend/vite.config.ts
      - frontend/vitest.config.ts
    method: checksum

  # ── Python checks ────────────────────────────────────────────────

  lint:
    desc: Run ruff linter
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} ruff check .

  format:check:
    desc: Check code formatting with ruff
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} ruff format --check .

  typecheck:
    desc: Run mypy type checker
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} mypy orchestrator/

  test:
    desc: Run pytest with coverage (75% threshold)
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} pytest tests/ -v --cov=orchestrator --cov-report=term-missing --cov-report=xml --cov-fail-under=75

  audit:
    desc: Audit Python dependencies for vulnerabilities
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_IMAGE}} pip audit
    ignore_error: true

  # ── Frontend checks ────────────────────────────────────────────

  frontend:typecheck:
    desc: TypeScript type check
    deps: [ci:frontend]
    cmds:
      - docker run --rm {{.FE_IMAGE}} npm run typecheck

  frontend:lint:
    desc: Run ESLint
    deps: [ci:frontend]
    cmds:
      - docker run --rm {{.FE_IMAGE}} npm run lint

  frontend:test:
    desc: Run frontend tests (Vitest)
    deps: [ci:frontend]
    cmds:
      - docker run --rm {{.FE_IMAGE}} npm run test

  frontend:build:
    desc: Build frontend for production
    deps: [ci:frontend]
    cmds:
      - docker run --rm {{.FE_IMAGE}} npm run build

  # ── Security checks ──────────────────────────────────────────

  semgrep:
    desc: Run Semgrep security scanner
    cmds:
      - >-
        docker run --rm
        -v {{.ROOT_DIR}}:/src
        returntocorp/semgrep:latest
        semgrep scan
        --config=auto
        --config=/src/.semgrep.yml
        --error
        --exclude=.venv
        --exclude=node_modules
        --exclude=frontend/dist
        --exclude=.git
        /src

  gitleaks:
    desc: Run Gitleaks secret scanner
    cmds:
      - >-
        docker run --rm
        -v {{.ROOT_DIR}}:/src
        zricethezav/gitleaks:latest
        detect
        --source=/src
        --no-git

  npm-audit:
    desc: Audit frontend dependencies for vulnerabilities
    deps: [ci:frontend]
    preconditions:
      - test -f frontend/package-lock.json
    cmds:
      - docker run --rm {{.FE_IMAGE}} npm audit --audit-level=moderate
    ignore_error: true

  govulncheck:
    desc: Run Go vulnerability scanner
    preconditions:
      - test -f go.mod
    cmds:
      - >-
        docker run --rm
        -v {{.ROOT_DIR}}:/src
        -w /src
        golang:1.23-alpine
        sh -c "go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./..."
    ignore_error: true

  security:
    desc: All security checks (semgrep, gitleaks, npm-audit)
    cmds:
      - task: semgrep
      - task: gitleaks
      - task: npm-audit

  # ── Aggregate tasks ────────────────────────────────────────────

  python:quality:
    desc: All Python quality checks (lint, format, typecheck, test)
    cmds:
      - task: lint
      - task: format:check
      - task: typecheck
      - task: test

  frontend:quality:
    desc: All frontend quality checks (typecheck, lint, test, build)
    cmds:
      - task: frontend:typecheck
      - task: frontend:lint
      - task: frontend:test
      - task: frontend:build

  quality:
    desc: All quality checks (Python + Frontend in parallel)
    deps:
      - python:quality
      - frontend:quality

  # ── Run (local dev) ────────────────────────────────────────────

  run:
    desc: Start backend server and frontend dev server
    deps:
      - run:backend
      - run:frontend

  run:backend:
    desc: Start the orchestrator backend
    cmds:
      - .venv/bin/python -m orchestrator.main

  run:frontend:
    desc: Start the frontend dev server
    dir: frontend
    cmds:
      - npm run dev

  # ── Dev convenience (write back to host) ───────────────────────

  format:
    desc: Auto-format Python code with ruff
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} ruff format .

  lint:fix:
    desc: Auto-fix Python linter issues with ruff
    deps: [ci:python]
    cmds:
      - docker run --rm {{.PY_MOUNT}} {{.PY_IMAGE}} ruff check --fix .