diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4262659 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 + + - package-ecosystem: nuget + directory: /backend + schedule: + interval: weekly + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 175439a..fd24370 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,11 +2,23 @@ name: CI on: push: + branches: [main] + tags: ['v*'] pull_request: +# Least privilege by default; the CodeQL job widens its own scope locally. +permissions: + contents: read + +# A newer push to the same ref cancels the in-flight run. +concurrency: + group: ci-${{ github.ref }} + cancel-in-progress: true + jobs: frontend: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -15,13 +27,17 @@ jobs: cache: npm - run: npm ci - run: npm run lint + - run: npm run format:check - run: npm run check:tokens - run: npm test - run: npm run build + # The shipped bundle must stay clean; dev-only advisories are excluded. + - run: npm audit --omit=dev storybook-a11y: # Axe runs against every story in the static build; a violation fails the build. runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -35,16 +51,43 @@ jobs: backend: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@v4 - uses: actions/setup-dotnet@v4 with: dotnet-version: 10.0.x + - run: dotnet format backend/BigRegister.slnx --verify-no-changes - run: dotnet test backend/BigRegister.slnx + codeql: + # Static analysis (SAST) for both sides; results appear under the Security tab. + runs-on: ubuntu-latest + timeout-minutes: 20 + permissions: + security-events: write + contents: read + actions: read + strategy: + fail-fast: false + matrix: + language: [javascript-typescript, csharp] + steps: + - uses: actions/checkout@v4 + - if: matrix.language == 'csharp' + uses: actions/setup-dotnet@v4 + with: + dotnet-version: 10.0.x + - uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + - uses: github/codeql-action/autobuild@v3 + - uses: github/codeql-action/analyze@v3 + api-client-drift: # The committed typed client must match the backend OpenAPI doc. runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 diff --git a/package.json b/package.json index 886afeb..7a8687b 100644 --- a/package.json +++ b/package.json @@ -4,6 +4,8 @@ "scripts": { "ng": "ng", "lint": "eslint .", + "format:check": "prettier --check .", + "format": "prettier --write .", "start": "ng serve --proxy-config proxy.conf.json", "gen:api": "cd backend && dotnet tool restore && dotnet build src/BigRegister.Api -v q && dotnet swagger tofile --output swagger.json src/BigRegister.Api/bin/Debug/net10.0/BigRegister.Api.dll v1 && cd .. && nswag run nswag.json", "build": "ng build",