ScriptVault/.github/workflows/ci.yml at main · SysAdminDoc/ScriptVault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: CI

on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read
  id-token: write
  attestations: write

jobs:
  build-and-test:
    name: Typecheck, test, and package
    runs-on: ubuntu-latest

    steps:
      - name: Check out repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0

      - name: Set up Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version-file: .node-version
          cache: npm

      - name: Install dependencies
        run: npm ci
        env:
          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'

      - name: Install Playwright Chromium
        run: npx playwright install --with-deps chromium

      - name: Read package version
        id: package
        run: echo "version=$(node -p \"require('./package.json').version\")" >> "$GITHUB_OUTPUT"

      # Phase 40.20 — Catch transitive CVEs at PR time, mirroring the
      # monaco-editor 2026-05-12..15 dependency-audit wave.
      # `--audit-level=high` filters out noise (low/moderate informational)
      # but fails the build on actually exploitable advisories.
      # `--omit=optional` keeps the noise floor down; optional deps don't
      # ship in the extension bundle.
      - name: npm audit (high+ severity)
        run: npm audit --audit-level=high --omit=optional

      - name: Toolchain contract check
        run: npm run toolchain:check

      - name: Optional dependency reach check
        run: npm run optional-deps:check

      - name: Settings schema check
        run: npm run settings:schema:check

      - name: CWS publish tooling check
        run: npm run cws:check

      - name: Store permission copy check
        run: npm run store-copy:check

      - name: README claim check
        run: npm run readme:check

      - name: Readability copy check
        run: npm run readability:check

      - name: TypeScript runtime artifact check
        run: npm run ts-runtime:check

      - name: TypeScript source drift gate
        run: npm run ts-source:check

      - name: Release artifact parity
        run: npm run release:check

      - name: Release rollback storage drill
        run: npm run release:rollback-drill

      - name: Typecheck
        run: npm run typecheck

      - name: Test
        run: npm test

      - name: Coverage source gate
        run: npm run test:cov

      - name: Build extension bundle
        run: npm run build

      - name: Set up Chrome
        id: setup-chrome
        uses: browser-actions/setup-chrome@19ae4b339ee18925ab85cf12c1041150ea4a44c8 # v1

      - name: Smoke test dashboard
        run: npm run smoke:dashboard
        env:
          SCRIPT_VAULT_CHROME_PATH: ${{ steps.setup-chrome.outputs.chrome-path }}

      - name: Playwright E2E flows
        run: npm run test:e2e

      - name: Package Chrome extension
        run: bash build.sh

      - name: CWS remote-code package scan
        run: npm run cws:remote-code:check -- --target ScriptVault-v${{ steps.package.outputs.version }}.zip

      - name: Firefox lint and package
        run: npm run firefox:package

      - name: Edge package
        run: npm run build:edge:check

      - name: Release store status check
        run: npm run release:store-status

      - name: GitHub Actions pin check
        run: npm run actions:pins:check

      - name: Browser support matrix check
        run: npm run support:matrix:check

      - name: Release trust gate
        run: npm run release:trust

      - name: Attest Chrome package
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb # v4
        with:
          subject-path: ScriptVault-v${{ steps.package.outputs.version }}.zip

      - name: Attest SBOM
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb # v4
        with:
          subject-path: ScriptVault-v${{ steps.package.outputs.version }}.zip
          sbom-path: release-artifacts/ScriptVault-v${{ steps.package.outputs.version }}.sbom.cyclonedx.json

      - name: Upload Chrome package
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: scriptvault-chrome-package
          path: |
            ScriptVault-v*.zip
            release-artifacts/*
          if-no-files-found: error

      - name: Upload Firefox package
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: scriptvault-firefox-package
          path: firefox-artifacts/*
          if-no-files-found: error

      - name: Upload Edge package
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: scriptvault-edge-package
          path: edge-artifacts/*
          if-no-files-found: error