fc995be6e3
問題: - CI workflow 不知何時被改成 ubuntu-latest - 導致 GitHub Actions 因帳單問題失敗 修復: - 全部改回 self-hosted (awoooi-110) 鐵律: - Memory 記錄: feedback_github_billing.md - 禁止使用 GitHub 雲端 Runner Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
231 lines
5.9 KiB
YAML
231 lines
5.9 KiB
YAML
name: CI
|
||
|
||
on:
|
||
push:
|
||
branches: [main]
|
||
pull_request:
|
||
branches: [main]
|
||
|
||
env:
|
||
NODE_VERSION: '20'
|
||
PNPM_VERSION: '9'
|
||
PYTHON_VERSION: '3.11'
|
||
|
||
jobs:
|
||
# ==================== Lint & Type Check ====================
|
||
lint:
|
||
name: Lint & Type Check
|
||
runs-on: self-hosted
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: ${{ env.PNPM_VERSION }}
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: ${{ env.NODE_VERSION }}
|
||
cache: 'pnpm'
|
||
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
|
||
- name: Lint
|
||
run: pnpm lint
|
||
|
||
- name: Type check
|
||
run: pnpm typecheck
|
||
|
||
- name: ADR Compliance Check
|
||
run: |
|
||
echo "🔍 正在檢查是否違反 ADR 規定..."
|
||
|
||
# 檢查 1: 前端禁止直連資料庫 (違反 ADR-005 BFF 原則)
|
||
if grep -rE "psycopg2|asyncpg|redis|sqlalchemy|pg|ioredis" apps/web/src/ 2>/dev/null; then
|
||
echo "❌ 嚴重違規 (ADR-005): 前端程式碼中發現直連資料庫的套件!"
|
||
exit 1
|
||
fi
|
||
|
||
# 檢查 2: 狀態管理嚴禁使用 Redux (違反 ADR-004 必須用 Zustand)
|
||
if grep -rE "@reduxjs/toolkit|react-redux" apps/web/package.json 2>/dev/null; then
|
||
echo "❌ 違規 (ADR-004): 發現 Redux,請全面改用 Zustand!"
|
||
exit 1
|
||
fi
|
||
|
||
# 檢查 3: 禁止 import 舊專案 (違反 .awoooi-agent-rules.md)
|
||
if grep -rE "from ['\"].*wooo-aiops" apps/ packages/ 2>/dev/null; then
|
||
echo "❌ 嚴重違規: 禁止 import 舊專案 wooo-aiops!"
|
||
exit 1
|
||
fi
|
||
|
||
# 檢查 4: 禁止硬編碼機密
|
||
if grep -rE "(sk-[a-zA-Z0-9]{20,}|password\s*=\s*['\"][^'\"]+['\"])" apps/ packages/ 2>/dev/null; then
|
||
echo "❌ 嚴重違規: 發現硬編碼機密!"
|
||
exit 1
|
||
fi
|
||
|
||
echo "✅ ADR 規範檢查通過!"
|
||
|
||
# ==================== Test ====================
|
||
test:
|
||
name: Test
|
||
runs-on: self-hosted
|
||
needs: lint
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: ${{ env.PNPM_VERSION }}
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: ${{ env.NODE_VERSION }}
|
||
cache: 'pnpm'
|
||
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
|
||
- name: Run tests
|
||
run: pnpm test --coverage
|
||
|
||
- name: Upload coverage
|
||
uses: codecov/codecov-action@v4
|
||
with:
|
||
token: ${{ secrets.CODECOV_TOKEN }}
|
||
fail_ci_if_error: false
|
||
|
||
# ==================== Build ====================
|
||
build:
|
||
name: Build
|
||
runs-on: self-hosted
|
||
needs: lint
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup pnpm
|
||
uses: pnpm/action-setup@v3
|
||
with:
|
||
version: ${{ env.PNPM_VERSION }}
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: ${{ env.NODE_VERSION }}
|
||
cache: 'pnpm'
|
||
|
||
- name: Install dependencies
|
||
run: pnpm install --frozen-lockfile
|
||
|
||
- name: Setup Turborepo Cache
|
||
uses: dtinth/setup-github-actions-caching-for-turbo@v1
|
||
|
||
- name: Build packages
|
||
run: pnpm turbo build
|
||
|
||
- name: Upload build artifacts
|
||
uses: actions/upload-artifact@v4
|
||
with:
|
||
name: build-artifacts
|
||
path: |
|
||
apps/*/dist
|
||
packages/*/dist
|
||
retention-days: 7
|
||
|
||
# ==================== API (Python) ====================
|
||
api-lint:
|
||
name: API Lint (Python)
|
||
runs-on: self-hosted
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup Python
|
||
uses: actions/setup-python@v5
|
||
with:
|
||
python-version: ${{ env.PYTHON_VERSION }}
|
||
|
||
- name: Install uv
|
||
uses: astral-sh/setup-uv@v3
|
||
|
||
- name: Install dependencies
|
||
working-directory: apps/api
|
||
run: uv sync
|
||
|
||
- name: Lint with ruff
|
||
working-directory: apps/api
|
||
run: uv run ruff check .
|
||
|
||
- name: Type check with mypy
|
||
working-directory: apps/api
|
||
run: uv run mypy .
|
||
|
||
api-test:
|
||
name: API Test (Python)
|
||
runs-on: self-hosted
|
||
needs: api-lint
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup Python
|
||
uses: actions/setup-python@v5
|
||
with:
|
||
python-version: ${{ env.PYTHON_VERSION }}
|
||
|
||
- name: Install uv
|
||
uses: astral-sh/setup-uv@v3
|
||
|
||
- name: Install dependencies
|
||
working-directory: apps/api
|
||
run: uv sync
|
||
|
||
- name: Run tests
|
||
working-directory: apps/api
|
||
run: uv run pytest --cov=src --cov-report=xml
|
||
|
||
# ==================== OpenAPI Validation ====================
|
||
openapi-validate:
|
||
name: Validate OpenAPI Spec
|
||
runs-on: self-hosted
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Setup Node.js
|
||
uses: actions/setup-node@v4
|
||
with:
|
||
node-version: ${{ env.NODE_VERSION }}
|
||
|
||
- name: Install spectral
|
||
run: npm install -g @stoplight/spectral-cli
|
||
|
||
- name: Validate OpenAPI
|
||
run: spectral lint docs/api/api-contract.yaml
|
||
|
||
# ==================== Docker Build (驗證 Dockerfile) ====================
|
||
docker-build:
|
||
name: Docker Build Verify
|
||
runs-on: self-hosted
|
||
needs: [test, api-test, build]
|
||
strategy:
|
||
matrix:
|
||
app: [web, api]
|
||
steps:
|
||
- uses: actions/checkout@v4
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build image (no push)
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
file: apps/${{ matrix.app }}/Dockerfile
|
||
push: false
|
||
tags: awoooi-${{ matrix.app }}:test
|
||
cache-from: type=gha
|
||
cache-to: type=gha,mode=max
|