feat(sdk): wizard redesign + user attachments end-to-end #143
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| BUN_VERSION: 1.3.12 | |
| jobs: | |
| check: | |
| name: Lint + format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - run: bun install --frozen-lockfile | |
| - run: bun run fmt:check | |
| - run: bun run lint | |
| test-sdk: | |
| name: SDK tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - run: bun install --frozen-lockfile | |
| - run: bun run test:sdk | |
| build-sdk: | |
| name: SDK build (IIFE sanity) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - run: bun install --frozen-lockfile | |
| - run: bun run sdk:build | |
| env: | |
| NODE_OPTIONS: --max-old-space-size=6144 | |
| # Guardrails against the regression we caught in review: | |
| # if the IIFE bundle tree-shakes @reprojs/* out, it drops under 50 KB | |
| # and still contains unresolved "@reprojs" references. | |
| - name: Verify IIFE bundle is self-contained | |
| run: | | |
| BUNDLE=packages/core/dist/repro.iife.js | |
| test -f "$BUNDLE" || { echo "Bundle missing"; exit 1; } | |
| SIZE=$(wc -c < "$BUNDLE") | |
| echo "Bundle size: $SIZE bytes" | |
| if [ "$SIZE" -lt 50000 ]; then | |
| echo "ERROR: bundle < 50 KB — dependencies were likely tree-shaken out" | |
| exit 1 | |
| fi | |
| if grep -q "@reprojs" "$BUNDLE"; then | |
| echo "ERROR: bundle contains unresolved @reprojs imports" | |
| exit 1 | |
| fi | |
| test-dashboard: | |
| name: Dashboard tests | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:17 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: repro | |
| ports: | |
| - 5436:5432 | |
| options: >- | |
| --health-cmd "pg_isready -U postgres -d repro" | |
| --health-interval 5s | |
| --health-timeout 5s | |
| --health-retries 10 | |
| env: | |
| DATABASE_URL: postgres://postgres:postgres@localhost:5436/repro | |
| BETTER_AUTH_SECRET: ci-test-secret-at-least-32-bytes-long-xxxxx | |
| BETTER_AUTH_URL: http://localhost:3000 | |
| ATTACHMENT_URL_SECRET: ci-test-secret-at-least-32-bytes-long-xxxxx | |
| # Required by encryption.ts (base64-decoded, HKDF-derived) so the | |
| # oauth-credentials tests can encrypt a seed row's client_secret | |
| # against the same key the dev server uses to decrypt on read. | |
| # Dummy, not a real secret. | |
| ENCRYPTION_KEY: Y2ktdGVzdC1lbmNyeXB0aW9uLWtleS0zMi1ieXRlcy0xMjM0NQ== | |
| MAIL_PROVIDER: console | |
| NODE_ENV: test | |
| # Silences nuxt-security's default per-IP rate limiter for the whole | |
| # suite so a big test file can't cascade 429s into unrelated test files. | |
| # The app's own rate-limit.ts still protects endpoints that matter. | |
| DISABLE_NUXT_SECURITY_RATE_LIMIT: "1" | |
| # The app's own intake rate limiters default to 20/min per IP and | |
| # 60/min per PK — fine in prod but the full test suite comfortably | |
| # exceeds both within the same minute. Crank them up for CI so | |
| # intake-touching tests don't starve each other. | |
| INTAKE_RATE_PER_KEY: "10000" | |
| INTAKE_RATE_PER_IP: "10000" | |
| INTAKE_RATE_PER_KEY_ANON: "10000" | |
| INVITE_RATE_PER_ADMIN: "10000" | |
| # Dummy GitHub App credentials — must match the fallback values in | |
| # apps/dashboard/tests/api/github-sync.test.ts so the dev server's | |
| # webhook signature verifier uses the same secret the tests sign with. | |
| # Not real secrets; the tests don't make actual API calls. | |
| GITHUB_APP_ID: "123" | |
| GITHUB_APP_PRIVATE_KEY: "-----BEGIN RSA PRIVATE KEY-----\ntest\n-----END RSA PRIVATE KEY-----" | |
| GITHUB_APP_WEBHOOK_SECRET: test-webhook-secret | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: ${{ env.BUN_VERSION }} | |
| - run: bun install --frozen-lockfile | |
| - name: Generate auth + push schema | |
| run: bun run db:push | |
| - name: Start dev server | |
| run: bun run dev &> /tmp/dev.log & | |
| - name: Wait for dev server | |
| run: | | |
| for i in $(seq 1 60); do | |
| if curl -s -o /dev/null -w "%{http_code}" http://localhost:3000/ | grep -qE "^(200|302|404)$"; then | |
| echo "Dev server ready" | |
| exit 0 | |
| fi | |
| sleep 2 | |
| done | |
| echo "Dev server did not become ready in 120s" | |
| tail -60 /tmp/dev.log | |
| exit 1 | |
| - name: Run dashboard tests | |
| working-directory: apps/dashboard | |
| run: bun test tests/ | |
| - name: Upload dev log on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dev-server-log | |
| path: /tmp/dev.log | |
| if-no-files-found: ignore | |
| # Smoke-builds the dashboard production Docker image on every push to main | |
| # and every PR. Catches Nuxt-prod-build failures (TS config drift, missing | |
| # env handling, stale imports) that dev-mode tests don't surface — the | |
| # exact class of bug that broke the v0.1.11 Docker publish. No push; just | |
| # verifies the image CAN be built before a tag is ever cut. | |
| build-dashboard-docker: | |
| name: Dashboard Docker build (smoke) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build (no push) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: apps/dashboard/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| tags: repro-dashboard:ci-smoke | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |