chore(deps)(deps-dev): bump the development-minor-and-patch group across 1 directory with 8 updates #121
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Continuous Integration — runs on every PR + push to main. | |
| # | |
| # Matrix: 4 platforms × 3 Node versions = 12 configurations. | |
| # Steps: clean install → build → unit tests → schemas idempotence | |
| # → npm audit (production, level=high). | |
| # | |
| # Why this exists (T26 closes RISK-REGISTER R43): | |
| # Pre-T26 the project had ZERO CI workflows running its own tests — | |
| # `npm test` 1555/1555 was only ever validated locally on the | |
| # maintainer's M-series Mac. Any cross-platform regression (Windows | |
| # path separator, Linux glibc version, Node 18 vs 22 difference, | |
| # native binary mismatch on macOS Intel vs arm64) would slip through | |
| # until a user reported it. This workflow makes "1555 测试全过" a | |
| # CI gate, not a dev claim. | |
| # | |
| # Branch protection (configured in repo Settings → Branches): | |
| # - Require this workflow to pass before merging to main | |
| # - Require integration.yml to pass (Playwright + file-lock-race) | |
| # - Require coverage.yml to pass (test:coverage:check) | |
| # - No force pushes to main | |
| # | |
| # Cost: ~12 min × 12 configs = ~2.4h CI minutes per PR. Within free | |
| # GitHub Actions tier for OSS repos (2000 min/month). | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| # No `branches:` filter — every PR (including stacked PRs whose base | |
| # is another feature branch) gets a CI matrix run. The earlier | |
| # `branches: [main]` filter caused stacked-PR chains (e.g. ADR-034's | |
| # 5-PR Phase 0 sequence) to ship with only the dogfood smoke test | |
| # passing, masking platform-specific regressions until the chain | |
| # eventually rebased onto main. | |
| # Cancel in-flight runs on the same ref to avoid wasting compute when | |
| # a PR is rapidly updated. | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| name: Test (${{ matrix.os }} · Node ${{ matrix.node }}) | |
| runs-on: ${{ matrix.os }} | |
| # Windows: most known platform-specific issues fixed in fix/ci-baseline-recovery | |
| # (line-ending CRLF: addressed via .gitattributes; logger.test.ts ENOTEMPTY: | |
| # addressed by tracking + closing pino destinations in _resetLoggerForTests). | |
| # Remaining flaky cross-process tests (mcp-stdio-e2e, mcp-concurrency-e2e) | |
| # surface as warnings rather than gates while the underlying child-process | |
| # initialization races are investigated. package.json `os` still lists | |
| # win32 as supported. | |
| continue-on-error: ${{ matrix.os == 'windows-latest' }} | |
| strategy: | |
| # Don't fail the entire matrix when one config fails — surface ALL | |
| # platform issues, not just the first. | |
| fail-fast: false | |
| matrix: | |
| # macos-13 = Intel x64; macos-14 = Apple Silicon arm64. We run both | |
| # because better-sqlite3 + sharp ship distinct prebuilt binaries | |
| # per arch. | |
| os: [ubuntu-latest, macos-13, macos-14, windows-latest] | |
| # Node 18 dropped from CI: vitest 4 (via rolldown) imports | |
| # `util.styleText` which is Node 20+. Node 18 hit EOL 2025-04. | |
| # `package.json` engines still says `>=18` for now; tightening | |
| # that is a separate semver decision (would be a breaking | |
| # change for any user still on Node 18 even if it never worked | |
| # with the current test toolchain). | |
| node: [20, 22] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Setup Node ${{ matrix.node }} | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: npm | |
| - name: npm ci | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| - name: Unit tests (vitest) | |
| run: npm test | |
| - name: Schemas idempotence | |
| # `npm run schemas` regenerates docs/schemas/*.json from the | |
| # Zod source. If running it produces uncommitted changes, | |
| # someone forgot to commit a regeneration after editing a | |
| # schema source — fail loudly instead of silently shipping | |
| # diff between source code and published JSON Schemas. | |
| shell: bash | |
| run: | | |
| npm run schemas | |
| if ! git diff --quiet docs/schemas/; then | |
| echo "::error::npm run schemas produced uncommitted changes." | |
| echo "::error::Run \`npm run schemas\` locally and commit the regenerated docs/schemas/*.json" | |
| git diff docs/schemas/ | |
| exit 1 | |
| fi | |
| - name: npm audit (production, moderate+) | |
| # ADR-029 (Stagehand v3 migration) closed the 3 v1.0 transitive | |
| # moderate waivers. Stagehand v3.3.0 introduced 5 new transitive | |
| # moderate findings (langsmith / uuid family); we resolve them | |
| # via `package.json#overrides` (`langsmith ^0.6.0`, `uuid | |
| # ^14.0.0`) — verified by T5 Stagehand smoke at runtime. Result: | |
| # `npm audit --production` reports 0 vulnerabilities, so the | |
| # gate can run at `--audit-level=moderate` instead of `high`. | |
| run: npm audit --production --audit-level=moderate | |
| - name: License compliance (allowlist) | |
| # Run only on Ubuntu × Node 20 — license metadata is the same | |
| # across platforms; running on every matrix config is wasteful. | |
| # Allowlist + rationale lives in | |
| # docs/THIRD_PARTY_LICENSES.md. | |
| if: matrix.os == 'ubuntu-latest' && matrix.node == 20 | |
| run: npm run license:check | |
| - name: Vendor drift check (stealth-core) | |
| # GitHub-hosted runners don't have an upstream stealth-core source | |
| # tree available, so AUDIT_VENDOR_DRIFT_SKIP_IF_MISSING=1 turns | |
| # the check into a no-op when the canonical tree is absent. The | |
| # check still catches drift in any environment where the canonical | |
| # IS present (maintainer machines, dedicated runners, etc.). | |
| # See ADR-032 for the vendor model and intended drift workflow. | |
| if: matrix.os == 'ubuntu-latest' && matrix.node == 20 | |
| env: | |
| AUDIT_VENDOR_DRIFT_SKIP_IF_MISSING: "1" | |
| run: npm run check:vendor-drift |