claude-did-this/claude-hub
1
0
Fork 1
mirror of https://github.com/claude-did-this/claude-hub.git synced 2026-02-14 19:30:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
53d77c2856bc2d753c4e54189246e0651a09a373
claude-hub/.github/workflows/pr.yml
Jonathan cb1329d512 fix: add pre-checkout workspace cleanup for coverage permission issues 
Add explicit workspace cleanup step before checkout to handle coverage
directories with restrictive permissions that prevent GitHub Actions cleanup.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-31 12:58:24 -05:00

360 lines
10 KiB
YAML
Raw Blame History

name: Pull Request CI
on:
pull_request:
branches: [ main ]
env:
NODE_VERSION: '20'
jobs:
# Lint job - fast and independent
lint:
name: Lint & Format Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies
run: npm ci --prefer-offline --no-audit
- name: Run linter
run: npm run lint:check || echo "No lint script found, skipping"
- name: Check formatting
run: npm run format:check || echo "No format script found, skipping"
# Unit tests - fastest test suite
test-unit:
name: Unit Tests
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20.x]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies
run: npm ci --prefer-offline --no-audit
- name: Run unit tests
run: npm run test:unit
env:
NODE_ENV: test
BOT_USERNAME: '@TestBot'
GITHUB_WEBHOOK_SECRET: 'test-secret'
GITHUB_TOKEN: 'test-token'
# Coverage generation for PR feedback
coverage:
name: Test Coverage
runs-on: ubuntu-latest
needs: [test-unit]
steps:
- name: Clean workspace
run: |
# Fix any existing coverage file permissions before checkout
sudo find . -name "coverage" -type d -exec chmod -R 755 {} \; 2>/dev/null || true
sudo rm -rf coverage 2>/dev/null || true
- name: Checkout code
uses: actions/checkout@v4
with:
clean: true
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies
run: npm ci --prefer-offline --no-audit
- name: Generate test coverage
run: npm run test:ci
env:
NODE_ENV: test
BOT_USERNAME: '@TestBot'
GITHUB_WEBHOOK_SECRET: 'test-secret'
GITHUB_TOKEN: 'test-token'
- name: Fix coverage file permissions
run: |
# Fix permissions on coverage files that may be created with restricted access
find coverage -type f -exec chmod 644 {} \; 2>/dev/null || true
find coverage -type d -exec chmod 755 {} \; 2>/dev/null || true
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: intelligence-assist/claude-hub
# Integration tests - moderate complexity
test-integration:
name: Integration Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies
run: npm ci --prefer-offline --no-audit
- name: Run integration tests
run: npm run test:integration || echo "No integration tests found, skipping"
env:
NODE_ENV: test
BOT_USERNAME: '@TestBot'
GITHUB_WEBHOOK_SECRET: 'test-secret'
GITHUB_TOKEN: 'test-token'
# Security scans for PRs
security:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for secret scanning
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Install dependencies
run: npm ci --prefer-offline --no-audit
- name: Run npm audit
run: |
npm audit --audit-level=moderate || {
echo "::warning::npm audit found vulnerabilities"
exit 0 # Don't fail the build, but warn
}
- name: Check for known vulnerabilities
run: npm run security:audit || echo "::warning::Security audit script failed"
- name: Run credential audit script
run: |
if [ -f "./scripts/security/credential-audit.sh" ]; then
./scripts/security/credential-audit.sh || {
echo "::error::Credential audit failed"
exit 1
}
else
echo "::warning::Credential audit script not found"
fi
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.pull_request.base.sha }}
head: ${{ github.event.pull_request.head.sha }}
extra_args: --debug --only-verified
- name: Check for high-risk files
run: |
# Check for files that commonly contain secrets
risk_files=$(find . -type f \( \
-name "*.pem" -o \
-name "*.key" -o \
-name "*.p12" -o \
-name "*.pfx" -o \
-name "*secret*" -o \
-name "*password*" -o \
-name "*credential*" \
\) -not -path "*/node_modules/*" -not -path "*/.git/*" | head -20)
if [ -n "$risk_files" ]; then
echo "⚠️ Found potentially sensitive files:"
echo "$risk_files"
echo "::warning::High-risk files detected. Please ensure they don't contain secrets."
fi
# CodeQL analysis for PRs
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
config-file: ./.github/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript"
# Check if Docker-related files changed
changes:
name: Detect Changes
runs-on: ubuntu-latest
outputs:
docker: ${{ steps.changes.outputs.docker }}
src: ${{ steps.changes.outputs.src }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: changes
with:
filters: |
docker:
- 'Dockerfile*'
- 'scripts/**'
- '.dockerignore'
- 'claude-config*'
src:
- 'src/**'
- 'package*.json'
# Docker build test for PRs (build only, don't push)
docker-build:
name: Docker Build Test
runs-on: ubuntu-latest
if: needs.changes.outputs.docker == 'true' || needs.changes.outputs.src == 'true'
needs: [test-unit, lint, changes, security, codeql]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build main Docker image (test only)
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: false
load: true
tags: claude-github-webhook:pr-test
cache-from: type=gha,scope=pr-main
cache-to: type=gha,mode=max,scope=pr-main
platforms: linux/amd64
- name: Build Claude Code Docker image (test only)
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile.claudecode
push: false
load: true
tags: claude-code-runner:pr-test
cache-from: type=gha,scope=pr-claudecode
cache-to: type=gha,mode=max,scope=pr-claudecode
platforms: linux/amd64
- name: Test Docker containers
run: |
# Test main container starts correctly
docker run --name test-webhook -d -p 3003:3002 \
-e NODE_ENV=test \
-e BOT_USERNAME=@TestBot \
-e GITHUB_WEBHOOK_SECRET=test-secret \
-e GITHUB_TOKEN=test-token \
claude-github-webhook:pr-test
# Wait for container to start
sleep 10
# Test health endpoint
curl -f http://localhost:3003/health || exit 1
# Cleanup
docker stop test-webhook
docker rm test-webhook
- name: Docker security scan
if: needs.changes.outputs.docker == 'true'
run: |
# Run Hadolint on Dockerfile
docker run --rm -i hadolint/hadolint < Dockerfile || echo "::warning::Dockerfile linting issues found"
# Run Trivy scan on built image
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Caches:/root/.cache/ \
aquasec/trivy:latest image --exit-code 0 --severity HIGH,CRITICAL \
claude-github-webhook:pr-test || echo "::warning::Security vulnerabilities found"
# Summary job that all others depend on
pr-summary:
name: PR Summary
runs-on: ubuntu-latest
needs: [lint, test-unit, coverage, test-integration, security, codeql, docker-build]
if: always()
steps:
- name: Check job statuses
run: |
echo "## Pull Request CI Summary"
echo "- Lint & Format: ${{ needs.lint.result }}"
echo "- Unit Tests: ${{ needs.test-unit.result }}"
echo "- Test Coverage: ${{ needs.coverage.result }}"
echo "- Integration Tests: ${{ needs.test-integration.result }}"
echo "- Security Scan: ${{ needs.security.result }}"
echo "- CodeQL Analysis: ${{ needs.codeql.result }}"
echo "- Docker Build: ${{ needs.docker-build.result }}"
# Check for any failures
if [[ "${{ needs.lint.result }}" == "failure" ]] || \
[[ "${{ needs.test-unit.result }}" == "failure" ]] || \
[[ "${{ needs.coverage.result }}" == "failure" ]] || \
[[ "${{ needs.test-integration.result }}" == "failure" ]] || \
[[ "${{ needs.security.result }}" == "failure" ]] || \
[[ "${{ needs.codeql.result }}" == "failure" ]] || \
[[ "${{ needs.docker-build.result }}" == "failure" ]]; then
echo "::error::One or more CI jobs failed"
exit 1
fi
echo "✅ All CI checks passed!"
Reference in New Issue View Git Blame Copy Permalink