chore(deps): upgrade dependencies and clear security alerts #1071
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Unified PR Validation Pipeline | |
| # | |
| # Optimized for maximum parallelism and minimum duplication. | |
| # All independent jobs run in parallel, integration tests run after matrix completion. | |
| name: PR Validation | |
| on: | |
| pull_request: | |
| branches: [main] | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| jobs: | |
| # Fast lint check - no build required | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "22" | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Install Yarn | |
| run: corepack prepare yarn@4.12.0 --activate | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Run ESLint | |
| run: yarn lint | |
| working-directory: packages/gitlab-mcp | |
| # Conventional commits validation | |
| commits: | |
| name: Conventional Commits | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check conventional commits | |
| uses: webiny/action-conventional-commits@v1.4.2 | |
| # Matrix test across Node versions - runs in parallel | |
| test: | |
| name: Test (Node ${{ matrix.node-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node-version: ["24"] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Install Yarn | |
| run: corepack prepare yarn@4.12.0 --activate | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Build all packages | |
| run: yarn build | |
| - name: Run core tests | |
| run: yarn test | |
| working-directory: packages/gitlab-mcp | |
| - name: Run optional db package tests | |
| run: yarn workspace @structured-world/gitlab-mcp-db test | |
| - name: Type check | |
| run: yarn tsc --noEmit | |
| working-directory: packages/gitlab-mcp | |
| # Coverage report - only on Node 22 | |
| coverage: | |
| name: Coverage | |
| runs-on: ubuntu-latest | |
| if: github.event.pull_request.draft == false | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "22" | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Install Yarn | |
| run: corepack prepare yarn@4.12.0 --activate | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Build all packages | |
| run: yarn build | |
| - name: Run tests with coverage | |
| run: yarn test:cov | |
| working-directory: packages/gitlab-mcp | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v7 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./packages/gitlab-mcp/coverage/lcov.info | |
| fail_ci_if_error: false | |
| # Code quality checks | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: "22" | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Install Yarn | |
| run: corepack prepare yarn@4.12.0 --activate | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Check code formatting | |
| run: yarn prettier --check "**/*.{js,ts,json,md}" || echo "Some files need formatting" | |
| - name: Check for console.log statements | |
| run: | | |
| if grep -r "console\.log" --include="*.ts" --exclude-dir=node_modules --exclude-dir=dist --exclude="*.test.ts" --exclude="test*.ts" src/; then | |
| echo "::warning::Found console.log statements in source code" | |
| fi | |
| # Docker build test | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| # Local registry so the db image can be built `FROM` the just-built core | |
| # image. The buildx `docker-container` builder is isolated from the host | |
| # docker daemon, so a `--load`ed core image is NOT visible to the db build | |
| # (it would try to pull gitlab-mcp:test from docker.io and fail). Push core | |
| # to this in-job registry and reference it via localhost:5000; the builder | |
| # reaches it via driver-opts network=host. | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| with: | |
| driver-opts: network=host | |
| # Core is pushed to the in-job registry so the db image can resolve it via | |
| # FROM. Single-platform; the release workflow does the docker.io push. | |
| - name: Build core Docker image | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./packages/gitlab-mcp/Dockerfile | |
| platforms: linux/amd64 | |
| push: true | |
| tags: localhost:5000/gitlab-mcp:test | |
| cache-from: type=gha,scope=core | |
| cache-to: type=gha,mode=max,scope=core | |
| - name: Build db Docker image layered on core | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| file: ./packages/gitlab-mcp-db/Dockerfile | |
| build-args: | | |
| CORE_IMAGE=localhost:5000/gitlab-mcp:test | |
| platforms: linux/amd64 | |
| push: false | |
| tags: gitlab-mcp-db:test | |
| cache-from: type=gha,scope=db | |
| cache-to: type=gha,mode=max,scope=db |