Bump brakeman from 6.2.2 to 7.0.0 #546
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
push: | |
jobs: | |
scan_ruby: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Scan for common Rails security vulnerabilities using static analysis | |
run: bin/brakeman --no-pager | |
scan_js: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Scan for security vulnerabilities in JavaScript dependencies | |
run: bin/importmap audit | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Lint code for consistent style | |
run: | | |
bin/rubocop --format json --out rubocop_output.json | |
offenses_per_file=$(jq '.files[] | {path, offenses: (.offenses | length)} | select(.offenses > 1)' rubocop_output.json) | |
if [[ -n "$offenses_per_file" ]]; then | |
echo "There are files with more than 1 offense:" | |
echo "$offenses_per_file" | |
exit 1 | |
else | |
echo "All files have 1 or fewer offenses." | |
fi | |
test: | |
runs-on: ubuntu-latest | |
# services: | |
# redis: | |
# image: redis | |
# ports: | |
# - 6379:6379 | |
# options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 | |
steps: | |
- name: Install packages | |
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y google-chrome-stable curl libjemalloc2 libvips sqlite3 | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Install bundler | |
run: gem install bundler | |
- name: Install dependencies | |
run: | | |
bundle install | |
- name: Run database migrations | |
run: bin/rails db:migrate RAILS_ENV=test | |
- name: Prepare the test database | |
run: bin/rails db:test:prepare | |
- name: Debug installed gems | |
run: | | |
bundle exec gem list | |
- name: Run tests | |
env: | |
RAILS_ENV: test | |
# REDIS_URL: redis://localhost:6379/0 | |
# run: bin/rails db:test:prepare test test:system | |
run: | | |
bundle exec rails test | |
- name: Check test coverage | |
run: | | |
covered_percent=$(ruby -r simplecov -e "puts SimpleCov.result.covered_percent") | |
if (( $(echo "$covered_percent < 90" | bc -l) )); then | |
echo "Code coverage is below 90%: $covered_percent%" | |
exit 1 | |
else | |
echo "Code coverage is sufficient: $covered_percent%" | |
fi | |
- name: Keep screenshots from failed system tests | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: screenshots | |
path: ${{ github.workspace }}/tmp/screenshots | |
if-no-files-found: ignore | |
cucumber_coverage: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Ruby | |
uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: .ruby-version | |
bundler-cache: true | |
- name: Install dependencies | |
run: bundle install | |
- name: Run Cucumber tests with coverage | |
run: | | |
bundle exec cucumber --format pretty --format html --out cucumber_report.html | |
if grep -q "coverage below" coverage/.last_run.json; then | |
echo "Test coverage is below the required threshold" | |
exit 1 | |
else | |
echo "Test coverage meets the required threshold" | |
fi | |
- name: Upload Cucumber HTML Report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cucumber-report | |
path: cucumber_report.html |