Pull Request Pipeline #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request Pipeline | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| types: [ opened, synchronize, reopened, ready_for_review ] | |
| workflow_dispatch: | |
| inputs: | |
| run_tests: | |
| description: 'Run all tests' | |
| required: true | |
| default: true | |
| type: boolean | |
| run_security: | |
| description: 'Run security checks' | |
| required: true | |
| default: true | |
| type: boolean | |
| run_validation: | |
| description: 'Run Rhema validation' | |
| required: true | |
| default: true | |
| type: boolean | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| RUST_LOG: info | |
| # Local execution variables | |
| ACT_LOCAL: ${{ vars.ACT_LOCAL || 'false' }} | |
| SKIP_CODECOV: ${{ vars.SKIP_CODECOV || 'false' }} | |
| SKIP_SECURITY_SCAN: ${{ vars.SKIP_SECURITY_SCAN || 'false' }} | |
| jobs: | |
| setup: | |
| uses: ./.github/workflows/setup.yml | |
| with: | |
| rust-version: '1.88' | |
| rust-components: 'rustfmt,clippy' | |
| fetch-depth: '0' | |
| test: | |
| name: Test Suite | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| strategy: | |
| matrix: | |
| rust: [1.88] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust ${{ matrix.rust }} | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: ${{ matrix.rust }} | |
| components: rustfmt, clippy | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-${{ matrix.rust }}-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-${{ matrix.rust }}- | |
| - name: Install system dependencies | |
| run: | | |
| if [ "$ACT_LOCAL" = "true" ]; then | |
| echo "Running in local mode, skipping system dependencies" | |
| else | |
| sudo apt-get update | |
| sudo apt-get install -y git curl build-essential | |
| fi | |
| - name: Check formatting | |
| run: npx nx run-many --target=fmt:check --projects=rhema-* | |
| - name: Run clippy | |
| run: npx nx run-many --target=clippy --projects=rhema-* | |
| - name: Run unit tests | |
| run: npx nx run-many --target=test --projects=rhema-* | |
| - name: Run integration tests | |
| env: | |
| RHEMA_RUN_INTEGRATION_TESTS: 1 | |
| run: cargo test --test integration --verbose | |
| - name: Run comprehensive test suite | |
| env: | |
| RHEMA_RUN_INTEGRATION_TESTS: 1 | |
| run: cargo test --test comprehensive_test_suite --verbose | |
| - name: Build release | |
| run: npx nx run-many --target=build:release --projects=rhema-* | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: rhema-${{ matrix.rust }} | |
| path: target/release/rhema | |
| retention-days: 7 | |
| validation: | |
| name: Rhema Validation | |
| runs-on: ubuntu-latest | |
| needs: [setup, test] | |
| if: ${{ github.event_name == 'pull_request' || github.event.inputs.run_validation == 'true' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-stable- | |
| - name: Build Rhema CLI | |
| run: npx nx run rhema-app:build:release | |
| - name: Install Rhema CLI | |
| run: cargo install --path crates/rhema | |
| - name: Validate Rhema files | |
| run: rhema validate --recursive | |
| - name: Check Rhema health | |
| run: rhema health | |
| - name: List Rhema scopes | |
| run: rhema scopes | |
| - name: Validate schemas | |
| run: rhema schema validate | |
| security: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| if: ${{ github.event_name == 'pull_request' || github.event.inputs.run_security == 'true' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-stable- | |
| - name: Run security audit | |
| run: cargo audit | |
| - name: Check for secrets | |
| if: ${{ env.SKIP_SECURITY_SCAN != 'true' }} | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: . | |
| base: ${{ github.event.before || 'HEAD~1' }} | |
| head: ${{ github.sha }} | |
| - name: Run cargo-audit with advisory database | |
| run: | | |
| cargo install cargo-audit | |
| cargo audit --db-path ~/.cargo/advisory-db | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| if: ${{ github.event_name == 'pull_request' || github.event.inputs.run_tests == 'true' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-stable- | |
| - name: Install cargo-tarpaulin | |
| run: cargo install cargo-tarpaulin | |
| - name: Generate coverage report | |
| run: cargo tarpaulin --out Html --out Xml --ignore-tests | |
| - name: Upload coverage artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: target/tarpaulin/tarpaulin-report.html | |
| retention-days: 30 | |
| - name: Upload coverage to Codecov (optional) | |
| if: ${{ env.SKIP_CODECOV != 'true' }} | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./target/tarpaulin/tarpaulin-report.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| performance: | |
| name: Performance Tests | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| if: ${{ github.event_name == 'pull_request' || github.event.inputs.run_tests == 'true' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-stable- | |
| - name: Run performance tests | |
| run: cargo test --test performance --verbose | |
| - name: Run benchmarks | |
| run: cargo bench --no-run | |
| shell-tests: | |
| name: Shell End-to-End Tests | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| if: ${{ github.event_name == 'pull_request' || github.event.inputs.run_tests == 'true' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.14.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| cache: 'pnpm' | |
| cache-dependency-path: pnpm-lock.yaml | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| .nx/cache | |
| key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-stable- | |
| - name: Build Rhema CLI | |
| run: npx nx run rhema-app:build:release | |
| - name: Run shell tests | |
| run: | | |
| cd tests/shell | |
| chmod +x *.sh | |
| ./run-tests.sh | |
| summary: | |
| name: Pipeline Summary | |
| runs-on: ubuntu-latest | |
| needs: [test, validation, security, code-quality, performance, shell-tests] | |
| if: always() | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Generate summary | |
| run: | | |
| echo "## Pull Request Pipeline Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Jobs Status:" >> $GITHUB_STEP_SUMMARY | |
| echo "- Test Suite: ${{ needs.test.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Validation: ${{ needs.validation.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Security: ${{ needs.security.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Code Quality: ${{ needs.code-quality.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Performance: ${{ needs.performance.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Shell Tests: ${{ needs.shell-tests.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [[ "${{ needs.test.result }}" == "success" && "${{ needs.validation.result }}" == "success" && "${{ needs.security.result }}" == "success" ]]; then | |
| echo "✅ All critical checks passed!" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Some checks failed. Please review the logs above." >> $GITHUB_STEP_SUMMARY | |
| fi |