# CI skeleton — applies to every repo until per-stack code lands. # The `shared` job runs on every push + PR; per-stack `test`/`image`/`e2e` # jobs light up automatically when the repo gains go.sum / package.json / # Cargo.toml etc. — see the conditional gates below. name: ci on: pull_request: branches: [main] push: branches: [main] jobs: shared: runs-on: docker steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: commitlint (PR only) if: github.event_name == 'pull_request' shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -euo pipefail pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$' bad=0 while IFS= read -r subject; do if ! [[ "$subject" =~ $pattern ]]; then echo "::error::Commit subject does not match Conventional Commits: $subject" bad=$((bad+1)) fi done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}") if [ "$bad" -gt 0 ]; then echo "::error::$bad commit(s) failed commitlint. See https://www.conventionalcommits.org/" exit 1 fi echo "commitlint: all commit subjects OK" - name: gitleaks shell: bash run: | set -euo pipefail GL_VERSION=8.18.4 curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \ | tar -xz -C /tmp gitleaks /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1 - name: trivy fs scan shell: bash run: | set -euo pipefail TRIVY_VERSION=0.50.0 curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ | tar -xz -C /tmp trivy /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist .