# CI for orca-platform (IaC). `shared` always runs; `validate` activates # when at least one Orca manifest lands. name: ci on: pull_request: branches: [main] push: branches: [main] jobs: shared: runs-on: docker steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: commitlint (PR only) if: github.event_name == 'pull_request' shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -euo pipefail pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$' bad=0 while IFS= read -r subject; do if ! [[ "$subject" =~ $pattern ]]; then echo "::error::Commit subject does not match Conventional Commits: $subject" bad=$((bad+1)) fi done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}") if [ "$bad" -gt 0 ]; then echo "::error::$bad commit(s) failed commitlint." exit 1 fi echo "commitlint: OK" - name: gitleaks shell: bash run: | set -euo pipefail GL_VERSION=8.18.4 curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \ | tar -xz -C /tmp gitleaks /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1 - name: trivy fs scan uses: aquasecurity/trivy-action@master with: scan-type: fs severity: HIGH,CRITICAL exit-code: 1 ignore-unfixed: true validate: runs-on: docker if: hashFiles('**/*.orca.yaml','**/*.orca.yml','manifests/**') != '' steps: - uses: actions/checkout@v4 - name: install orca run: | curl -fsSL https://orca.meghsakha.com/install.sh | sh orca version - name: orca validate run: orca validate ./