fix(ci): bring Validate Code Quality job back to green #303
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI, Publish & Release | |
| on: | |
| push: | |
| branches: | |
| - main # Trigger on push to main branch | |
| tags: | |
| - 'v*.*.*' # Trigger on push of version tags (e.g., v0.5.5) | |
| pull_request: | |
| branches: | |
| - main # Trigger on PR to main branch | |
| merge_group: | |
| types: [checks_requested] | |
| jobs: | |
| validate: | |
| name: Validate Code Quality | |
| runs-on: [self-hosted, sylphx, linux, standard] | |
| permissions: # Added permissions | |
| actions: read | |
| contents: read | |
| security-events: write # Required for CodeQL results | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5.0.0 | |
| # Initializes the CodeQL tools for scanning. # Added CodeQL init | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: typescript # Specify the language to analyze | |
| # Optional: config-file: './.github/codeql/codeql-config.yml' | |
| # Optional: queries: '+security-extended' | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.1 # Match packageManager in package.json | |
| # vitest 3.x runs its worker pool (tinypool) under Node, not the Bun | |
| # runtime (oven-sh/bun#20762). Bun is the package manager; Node executes | |
| # the `vitest` binary via its shebang during `bun run test:cov`. | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4.0.3 | |
| with: | |
| node-version: 'lts/*' # Use latest LTS | |
| - name: Install dependencies # Correct install step | |
| run: bun install --frozen-lockfile | |
| - name: Check for vulnerabilities | |
| # GHSA-2g4f-4pwh-qvx6: ajv $data-option ReDoS (moderate). The prod $data | |
| # code path is unreachable here -- the MCP SDK validates dev-defined | |
| # schemas with $data disabled, so no attacker-controlled schema reaches | |
| # the vulnerable matcher. The transitive dev ajv@6 is pinned by | |
| # eslint/@eslint/eslintrc and bun flat `overrides` can't scope a bump to | |
| # that subtree without breaking eslint. TODO: drop --ignore once the SDK | |
| # and eslint chains move to ajv>=6.14.0. | |
| run: bun audit --prod --ignore GHSA-2g4f-4pwh-qvx6 # Check only production dependencies | |
| - name: Check Formatting | |
| run: bun run check-format # Fails job if check fails | |
| - name: Lint Code | |
| run: bun run lint # Fails job if lint fails | |
| - name: Run Tests and Check Coverage | |
| run: bun run test:cov # Fails job if tests fail or coverage threshold not met | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4.5.0 # Use Codecov action with fixed version | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} # Use Codecov token | |
| files: ./coverage/lcov.info # Specify LCOV file path | |
| fail_ci_if_error: true # Optional: fail CI if upload error | |
| - name: Upload test results to Codecov | |
| if: ${{ !cancelled() }} | |
| uses: codecov/test-results-action@v1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| # No file specified, action defaults to common patterns like test-report.junit.xml | |
| - name: Perform CodeQL Analysis # Added CodeQL analyze | |
| uses: github/codeql-action/analyze@v3 | |
| - name: Upload coverage reports # Kept artifact upload | |
| uses: actions/upload-artifact@v5.0.0 | |
| with: | |
| name: coverage-report | |
| path: coverage/ # Upload the whole coverage directory | |
| build-archive: | |
| name: Build and Archive Artifacts | |
| needs: validate # Depends on successful validation | |
| runs-on: [self-hosted, sylphx, linux, standard] | |
| if: startsWith(github.ref, 'refs/tags/v') # Only run for tags | |
| outputs: # Define outputs for the release job | |
| version: ${{ steps.get_version.outputs.version }} | |
| artifact_path: ${{ steps.archive_build.outputs.artifact_path }} | |
| # Removed incorrect permissions block from here | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5.0.0 | |
| # Removed incorrect CodeQL init from here | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.1 # Match packageManager in package.json | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Build project | |
| run: bun run build | |
| - name: Get package version from tag | |
| id: get_version | |
| run: | | |
| VERSION=$(echo "${{ github.ref }}" | sed 's#refs/tags/##') | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Archive build artifacts for release | |
| id: archive_build | |
| run: | | |
| ARTIFACT_NAME="pdf-reader-mcp-${{ steps.get_version.outputs.version }}.tar.gz" | |
| tar -czf $ARTIFACT_NAME dist package.json README.md LICENSE CHANGELOG.md | |
| echo "artifact_path=$ARTIFACT_NAME" >> $GITHUB_OUTPUT | |
| - name: Upload build artifact for release job | |
| uses: actions/upload-artifact@v5.0.0 | |
| with: | |
| name: release-artifact | |
| path: ${{ steps.archive_build.outputs.artifact_path }} | |
| # Publish steps moved to parallel jobs below | |
| publish-npm: | |
| name: Publish to NPM | |
| needs: build-archive # Depends on build-archive completion | |
| runs-on: [self-hosted, sylphx, linux, standard] | |
| if: startsWith(github.ref, 'refs/tags/v') # Only run for tags | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5.0.0 | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: 1.3.1 # Match packageManager in package.json | |
| # setup-node only writes the npm registry .npmrc consumed by `npm publish` | |
| # (which `changeset publish` shells out to); install/build run via bun. | |
| - name: Set up npm registry auth | |
| uses: actions/setup-node@v4.0.3 | |
| with: | |
| node-version: 'lts/*' | |
| registry-url: 'https://registry.npmjs.org/' | |
| - name: Install all dependencies for prepublishOnly script | |
| run: bun install --frozen-lockfile | |
| - name: Publish to npm | |
| run: bunx changeset publish | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| publish-docker: | |
| name: Publish to Docker Hub | |
| needs: build-archive # Depends on build-archive completion | |
| runs-on: [self-hosted, sylphx, linux, standard] | |
| if: startsWith(github.ref, 'refs/tags/v') # Only run for tags | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5.0.0 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3.6.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3.11.1 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3.3.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5.5.1 | |
| with: | |
| images: sylphx/filesystem-mcp | |
| # Use version from the build-archive job output | |
| tags: | | |
| type=semver,pattern={{version}},value=${{ needs.build-archive.outputs.version }} | |
| type=semver,pattern={{major}}.{{minor}},value=${{ needs.build-archive.outputs.version }} | |
| type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6.7.0 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| release: | |
| name: Create GitHub Release | |
| needs: [publish-npm, publish-docker] # Depends on successful parallel publishes | |
| runs-on: [self-hosted, sylphx, linux, standard] | |
| if: startsWith(github.ref, 'refs/tags/v') # Only run for tags | |
| permissions: | |
| contents: write # Need permission to create releases and release notes | |
| steps: | |
| - name: Download build artifact | |
| uses: actions/download-artifact@v6.0.0 | |
| with: | |
| name: release-artifact | |
| # No path specified, downloads to current directory | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2.0.6 | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: Release ${{ github.ref_name }} | |
| generate_release_notes: true # Auto-generate release notes from commits | |
| files: ${{ needs.build-archive.outputs.artifact_path }} # Attach the artifact archive from build-archive job | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |