ADE-68: Orchestration & CTO: worker sandbox escape / webFetch SSRF (P1) + plan.md images, dead CTO buttons, manifest integrity, automation guard, dead webhook, decomposition #1904
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| # ── Stage 1: Install & cache ────────────────────────────────────────── | |
| install: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - name: Restore node_modules cache | |
| id: cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - name: Install all dependencies (parallel) | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: | | |
| set -euo pipefail | |
| pids=() | |
| cd apps/desktop && npm ci & | |
| pids+=($!) | |
| cd apps/ade-cli && npm ci & | |
| pids+=($!) | |
| cd apps/web && npm ci & | |
| pids+=($!) | |
| fail=0 | |
| for pid in "${pids[@]}"; do | |
| wait "$pid" || fail=1 | |
| done | |
| if [ "$fail" -ne 0 ]; then | |
| echo "::error::One or more npm ci installs failed" | |
| exit 1 | |
| fi | |
| # ── Secret scanning (no deps needed) ─────────────────────────────────── | |
| secret-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # ── Stage 2: Parallel checks ────────────────────────────────────────── | |
| typecheck-desktop: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/desktop && npm run typecheck | |
| typecheck-ade-cli: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/ade-cli && npm run typecheck | |
| typecheck-web: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/web && npm run typecheck | |
| lint-desktop: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/desktop && npm run lint | |
| test-desktop: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| shard: [1, 2, 3, 4, 5, 6, 7, 8] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/desktop && npx vitest run --shard=${{ matrix.shard }}/8 | |
| test-ade-cli: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/ade-cli && npm test | |
| build: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: cd apps/desktop && npm run build | |
| - run: cd apps/ade-cli && npm run build | |
| - run: cd apps/web && npm run build | |
| build-runtime-binaries: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - target: darwin-arm64 | |
| os: macos-15 | |
| - target: darwin-x64 | |
| os: macos-15-intel | |
| - target: linux-x64 | |
| os: ubuntu-latest | |
| - target: linux-arm64 | |
| os: ubuntu-24.04-arm | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| cache-dependency-path: | | |
| apps/desktop/package-lock.json | |
| apps/ade-cli/package-lock.json | |
| - name: Install desktop dependencies | |
| run: cd apps/desktop && npm ci | |
| - name: Install ADE CLI dependencies | |
| run: cd apps/ade-cli && npm ci | |
| - name: Build ADE runtime binary | |
| run: cd apps/ade-cli && npm run build:static -- --target ${{ matrix.target }} | |
| - name: Smoke test ADE runtime binary | |
| run: | | |
| apps/ade-cli/dist-static/ade-${{ matrix.target }} --version | |
| tar -tzf apps/ade-cli/dist-static/ade-${{ matrix.target }}.native.tar.gz | grep -q '^\./node_modules/' | |
| if tar -tzf apps/ade-cli/dist-static/ade-${{ matrix.target }}.native.tar.gz | grep -Eq '^\./node_modules/opencode-(darwin|linux|windows)-'; then | |
| echo "Unexpected duplicate OpenCode platform package in native runtime archive" | |
| exit 1 | |
| fi | |
| - name: Upload ADE runtime binary | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ade-runtime-${{ matrix.target }} | |
| path: | | |
| apps/ade-cli/dist-static/ade-${{ matrix.target }} | |
| apps/ade-cli/dist-static/ade-${{ matrix.target }}.native.tar.gz | |
| if-no-files-found: error | |
| compression-level: 0 | |
| validate-docs: | |
| needs: install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| apps/desktop/node_modules | |
| apps/ade-cli/node_modules | |
| apps/web/node_modules | |
| key: nm-v2-${{ hashFiles('apps/desktop/package-lock.json','apps/ade-cli/package-lock.json','apps/web/package-lock.json') }} | |
| - run: node scripts/validate-docs.mjs | |
| # ── Windows build smoke (self-contained — no shared cache) ──────────── | |
| # Runs the same dist:win pipeline that release-core.yml uses, so a PR | |
| # that would break Windows release is caught here instead of at release | |
| # time. Self-contained because windows-latest node_modules contain | |
| # platform-specific native binaries that can't share a Linux cache. | |
| build-win: | |
| needs: build-runtime-binaries | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| cache-dependency-path: | | |
| apps/desktop/package-lock.json | |
| apps/ade-cli/package-lock.json | |
| - name: Install desktop dependencies | |
| run: cd apps/desktop && npm ci | |
| - name: Install ADE CLI dependencies | |
| run: cd apps/ade-cli && npm ci | |
| - name: Download ADE runtime binaries | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: ade-runtime-* | |
| path: apps/desktop/resources/runtime | |
| merge-multiple: true | |
| - name: Materialize ADE runtime resources | |
| env: | |
| ADE_RUNTIME_ARTIFACTS_DIR: ${{ github.workspace }}\apps\desktop\resources\runtime | |
| run: cd apps/desktop && npm run materialize:runtime-resources | |
| - name: Reset release output | |
| shell: pwsh | |
| run: | | |
| Remove-Item -Recurse -Force apps/desktop/release, apps/desktop/.cache -ErrorAction SilentlyContinue | |
| New-Item -ItemType Directory -Path apps/desktop/.cache | Out-Null | |
| - name: Build and validate Windows release | |
| env: | |
| ELECTRON_CACHE: ${{ github.workspace }}\apps\desktop\.cache\electron | |
| ELECTRON_BUILDER_CACHE: ${{ github.workspace }}\apps\desktop\.cache\electron-builder | |
| run: cd apps/desktop && npm run dist:win | |
| # ── Gate: all jobs must pass ────────────────────────────────────────── | |
| ci-pass: | |
| if: always() | |
| needs: | |
| - install | |
| - secret-scan | |
| - typecheck-desktop | |
| - typecheck-ade-cli | |
| - typecheck-web | |
| - lint-desktop | |
| - test-desktop | |
| - test-ade-cli | |
| - build | |
| - build-runtime-binaries | |
| - validate-docs | |
| - build-win | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check all jobs passed | |
| run: | | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || | |
| [[ "${{ contains(needs.*.result, 'skipped') }}" == "true" ]] || | |
| [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "::error::One or more required jobs failed, were skipped, or were cancelled" | |
| exit 1 | |
| fi | |
| echo "All CI jobs passed" |