# CI for orca-platform (IaC). # `shared` always runs (commitlint + gitleaks + trivy fs). # `validate` always runs (parses every manifest + overlay + vm spec). name: ci on: pull_request: branches: [main] push: branches: [main] jobs: shared: runs-on: docker steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: commitlint (PR only) if: github.event_name == 'pull_request' shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -euo pipefail pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$' bad=0 while IFS= read -r subject; do if ! [[ "$subject" =~ $pattern ]]; then echo "::error::Commit subject does not match Conventional Commits: $subject" bad=$((bad+1)) fi done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}") if [ "$bad" -gt 0 ]; then echo "::error::$bad commit(s) failed commitlint." exit 1 fi echo "commitlint: OK" - name: gitleaks shell: bash run: | set -euo pipefail GL_VERSION=8.18.4 curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \ | tar -xz -C /tmp gitleaks /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1 - name: trivy fs scan shell: bash run: | set -euo pipefail TRIVY_VERSION=0.70.0 curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ | tar -xz -C /tmp trivy /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist,.orca-out . validate: runs-on: docker steps: - uses: actions/checkout@v4 - name: setup python shell: bash run: | which python3 python3 --version - name: make validate run: make validate