name: CI on: push: branches: [main, master] pull_request: branches: [main, master] jobs: backend-test: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.10' - name: Install uv run: | curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Install dependencies run: uv sync - name: Run backend tests run: uv run python -m unittest discover -s backend/tests -p "test_*.py" -v frontend-test: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Install dependencies run: | cd frontend npm ci - name: Run frontend tests run: | cd frontend npm test - name: Lint frontend run: | cd frontend npm run lint lint-python: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.10' - name: Install uv run: | curl -LsSf https://astral.sh/uv/install.sh | sh echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Install dependencies run: uv sync - name: Check Python syntax run: | python3 -m py_compile backend/**/*.py || true echo "Python syntax check complete" secret-scanning: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true dependency-scan: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' continue-on-error: true - name: Upload Trivy results to GitHub Security uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' continue-on-error: true workflow-summary: runs-on: ubuntu-latest needs: [backend-test, frontend-test, lint-python, secret-scanning, dependency-scan] if: always() steps: - name: Generate workflow summary run: | echo "## 🔍 CI Workflow Summary" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "### Job Results" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY || true echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY || true echo "| 🐍 Backend Tests | ${{ needs.backend-test.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| ⚛️ Frontend Tests | ${{ needs.frontend-test.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| 📝 Python Lint | ${{ needs.lint-python.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| 🔐 Secret Scanning | ${{ needs.secret-scanning.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| 📦 Dependency Scan | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "### 📊 Summary" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "All checks have completed. Review individual job logs for details." >> $GITHUB_STEP_SUMMARY || true continue-on-error: true